Cybersecurity
Cybersecurity researchers at Silent Push have identified a Chinese espionage operation linking threat actors Salt Typhoon and UNC4841, revealing infrastructure targeting government and corporate networks across over 80 countries.
The operation includes 45 malicious domains dating back to 2020, showcasing the reach and persistence of these state-sponsored Advanced Persistent Threat (APT) groups.
Infrastructure and Tools
Silent Push analysts mapped a network of command and control infrastructure through domain registration and WHOIS data analysis.
Salt Typhoon’s malware arsenal includes the Demodex rootkit, Snappybee, and Ghostspider backdoors. Domains were registered using ProtonMail addresses under fictitious identities with fake U.S. addresses.
Analysis of SOA records and WHOIS databases expanded findings to domains registered as far back as May 2020, indicating a multi-year campaign.
Global Telecommunications Infiltration
Salt Typhoon, also known as “GhostEmperor” and other aliases, operates under China’s Ministry of State Security (MSS). The group infiltrated nine major U.S. telecommunications companies in 2024, targeting telecom infrastructure in over 80 countries.
Salt Typhoon exploits software vulnerabilities to access networks, affecting nearly every American mobile phone user and compromising systems used for court-authorized wiretapping.
The group employs advanced methodologies, exploiting zero-day vulnerabilities and security flaws in public-facing servers.
Chinese APT Coordination
Infrastructure overlap was found between Salt Typhoon and UNC4841, another Chinese state-sponsored threat actor known for exploiting a zero-day vulnerability in Barracuda Email Security Gateway Appliances in 2023.
UNC4841 shared registration tactics with Salt Typhoon, including fake personas and ProtonMail addresses. The shared infrastructure suggests coordination or shared resources between these groups.
| Threat Actor | Primary Target | Known Malware | Infrastructure Overlap |
|---|---|---|---|
| Salt Typhoon | Telecommunications, Government | Demodex, Snappybee, Ghostspider | 45+ domains, shared name servers |
| UNC4841 | Email Security, Corporate Networks | Barracuda exploit tools | 9+ domains, common registration patterns |
The analysis identified 45 previously unreported domains spanning multiple years of operations. Domain registration patterns, SOA records, and WHOIS data correlation provided insights into the scope of these cyber espionage campaigns.
Silent Push’s investigation methodology highlights the importance of systematic infrastructure analysis in tracking APT groups, emphasizing the evolving nature of Chinese state-sponsored cyber operations.
