Silent Push identified 45 previously unreported domains and associated infrastructure patterns used by Chinese APT group Salt Typhoon and a related actor UNC4841, linking them via ProtonMail registrant emails, fake US personas, SOA records, and shared name servers. The report highlights historical C2 domains tied to Demodex, Snappybee, and Ghostspider malware and urges organizations to search DNS logs and IP records for indicators. #SaltTyphoon #UNC4841 #Demodex #Snappybee #Ghostspider
Keypoints
- Silent Push discovered 45 domain names assessed with high confidence as infrastructure for Salt Typhoon and closely related China-backed actors, some dating back to May 2020.
- Researchers linked domains using patterns: ProtonMail registrant emails containing gibberish, fake English persona names with non-existent US addresses, and common SOA/name server values.
- Three malware families (Demodex rootkit, Snappybee, Ghostspider backdoors) were identified in prior reporting as using C2 hostnames that seeded this discovery effort.
- UNC4841 (associated with the Barracuda vulnerability exploit) shares overlapping infrastructure and registrant patterns with Salt Typhoon, suggesting operational overlap or linkage.
- Many identified domains currently point to high-density (likely parking) IPs, but low-density IPs were cataloged and some were later sinkholed, indicating historical operational use.
- Silent Push provides IOFA™ feeds to enterprise customers and recommends that at-risk organizations search five years of DNS logs and related IP activity for the listed domains and subdomains.
- Researchers withheld some additional infrastructure for operational security but will continue tracking and updating feeds for Salt Typhoon and UNC4841.
MITRE Techniques
- [T1584] Compromise Infrastructure – Use of attacker-controlled domains and C2 hostnames to maintain persistence and command channels (“…deploy malware that requires a connection to an actor-controlled server to maintain this…”).
- [T1078] Valid Accounts (Impersonation) – Use of fake registrant personas and realistic-looking US addresses to register domains and appear legitimate (“…sharing unique, fake address details gives us a reasonable degree of certainty that the domains themselves are all related infrastructure…”).
- [T1583] Acquire Infrastructure – Registration and operation of dozens of domains across years with shared SOA/name server patterns to support long-term access (“…identified key domain registration patterns in the publicly reported command and control (C2) infrastructure…we found a total of 45 domain names…”).
- [T1496] Resource Hijacking (Infrastructure Compromise) – Possibility of using compromised high-density IP infrastructure to host malicious domains (“…given both the advanced technical skill and considerable financial backing of the group, our team did not want to exclude the possibility that an actor operating the domain names had control over some of the high-density IP addresses we discovered, perhaps through a compromise of infrastructure.”).
- [T1110] Brute Force (Account Discovery) – Use of automatically generated, gibberish-like ProtonMail addresses and registrant automation to mass-register domains (implied by patterns: “This string of characters…appears to have been created by smashing the left side of the keyboard…”).
- [T1497] Virtualization/Sandbox Evasion (Sinkholing Interaction) – Observations of domains being redirected to sinkholes for analysis after law enforcement/research takeover (“…some of the low-density IP addresses in this list also had domains that had started pointing to sinkholes”).
Indicators of Compromise
- [Domain ] C2 and infrastructure domains linked to Salt Typhoon/UNC4841 – examples: dateupdata[.]com, cloudprocenter[.]com, and 43 more domains listed in the report.
- [Subdomain ] Mail/C2 subdomain – example: imap[.]dateupdata[.]com (associated as a C2-hosting hostname).
- [Registrant Emails ] ProtonMail addresses used to register domains – examples: sdsdvxcdcbsgfe@protonmail[.]com, oklmdsfhjnfdsifh@protonmail[.]com, and several others (total multiple gibberish addresses and one large set zainmehe@protonmail[.]com linked to 117 domains).
- [Registrant Names/Addresses ] Fake registrant personas and addresses – examples: “Monica Burch” at “1294 Koontz Lane, Los Angeles, CA, US”, “Shawn Francis” at “4858 Agriculture Lane, Miami, FL, US”.
- [Name Servers ] Shared name servers used across domains – examples: *.1domainregistry[.]com, *.orderbox-dns[.]com (used by many domains linked to activity).
- [IP Addresses ] Low-density IPs observed in A records (context: low-density IPs were compiled and time-paired for the 45 domains) – example entries include several low-density IPs noted in DNS A records (report lists multiple specific IPs and times; see archive feed for full list).