Silent Push threat analysts have uncovered dozens of new domains linked to Salt Typhoon and UNC4841, two China-backed Advanced Persistent Threat (APT) groups infamous for stealthy cyber espionage campaigns. According to Silent Push, the findings point to years of activity targeting global telecoms, internet service providers, and critical infrastructure, raising urgent alarms for defenders worldwide.
Salt Typhoon, also known as GhostEmperor, FamousSparrow, and Earth Estries, has been active since at least 2019. The group previously gained unauthorized access to telecom infrastructure in the U.S. and over 80 countries compromising metadata of more than a million mobile users and even breaching court-authorized wiretapping systems.
Silent Push now confirms the discovery of 45 previously unreported domains, some dating back to 2020, which were likely used for long-term persistence and command-and-control operations. Many were tied to fake registrant identities with fabricated U.S. addresses, a tactic often used by nation-state actors to mask activity.
The findings also strengthen links between Salt Typhoon and UNC4841, another PRC-backed group known for exploiting a Barracuda email security zero-day in 2023. Both actors share overlapping technical infrastructure and targeting strategies, particularly against government entities, telecoms, and corporate networks.
The global impact
The report underscores the scale and persistence of Chinese espionage operations against critical infrastructure. For organizations, this translates into risks ranging from data theft and surveillance to service disruption. The Middle East and Africa, rapidly expanding in telecom and cloud adoption, are increasingly attractive targets making vigilance essential for both government and private operators.
“These groups are focused on stealthy, long-term access, not smash-and-grab attacks. If you’re running telecom, ISP, or government infrastructure, you need to check historical logs and DNS telemetry—years back, not just months,” Silent Push analysts warned.
What defenders should do
Silent Push urges organizations to cross-check their DNS logs and telemetry against the uncovered domains and IPs. Security teams should treat any matches as indicators of compromise and respond accordingly.
Here are 10 recommended actions for defenders:
- Search DNS logs for historic connections to the newly identified Salt Typhoon and UNC4841 domains.
- Review SOA and WHOIS records within your organization’s threat intelligence feeds.
- Audit past five years of DNS queries these actors operate with long-term persistence.
- Check firewall and proxy logs for outbound traffic to suspicious IP addresses.
- Deploy DNS sinkholes where possible to block known malicious domains.
- Patch exposed servers immediately, prioritizing email gateways, telecom equipment, and VPN appliances.
- Leverage Indicators of Future Attack™ feeds or equivalent threat intel to anticipate pre-weaponized infrastructure.
- Strengthen monitoring of anomalous outbound traffic, particularly from high-value systems.
- Invest in staff awareness and training to spot subtle persistence techniques.
- Collaborate with peers and national CERTs to share intelligence and strengthen collective defense.
The bigger picture
The revelations highlight how nation-state cyber actors invest in multi-year infrastructure planning, making traditional IOC-driven defenses insufficient. Organizations must embrace Zero Trust Security principles and adopt proactive hunting methods.
As the MEA region accelerates digital transformation and 5G rollout, Salt Typhoon and similar actors may view regional networks as valuable intelligence targets. Cybersecurity leaders should ensure that historical telemetry is not overlooked yesterday’s dormant domains may still pose tomorrow’s risks.
Conclusion
Silent Push’s disclosure of Salt Typhoon and UNC4841’s hidden infrastructure is more than a technical revelation it’s a reminder of the quiet, persistent, and deeply strategic nature of cyber espionage. Organizations worldwide are urged to take immediate steps: check logs, update defenses, and anticipate that today’s hidden domains could fuel tomorrow’s breaches.
