45 New Domains Linked to Salt Typhoon, UNC4841

Summary

Researchers at Silent Push uncovered 45 previously unreported domains tied to China‑backed threat actors Salt Typhoon and UNC4841. The domains, some registered as far back as 2020, were created using fake personas, addresses and ProtonMail accounts and were used to enable long‑term, stealthy access for cyber‑espionage operations. While many of the domains appear inactive now, one recently registered name (chekoodver.com) may indicate renewed UNC4841 activity. Silent Push urges organisations and defence teams to compare the domains against their DNS logs and telemetry to detect historic or ongoing compromise.

Key Points

Silent Push identified 45 domains linked to Salt Typhoon and UNC4841, most not previously reported.
Registration patterns include fake names, nonexistent US addresses and ProtonMail accounts, giving useful hunting indicators.
The oldest domain in the set dates to May 2020, showing these actors have been building infrastructure for years.
Infrastructure overlaps suggest coordination or shared tooling between Salt Typhoon and UNC4841.
One domain, chekoodver.com (registered April 2025), could signal renewed UNC4841 operations.
Silent Push recommends searching at least five years of DNS logs, subdomains and listed IPs to find signs of intrusion.
Salt Typhoon has previously maintained stealthy access in telecom environments for long periods, highlighting persistent risk.

Context and Relevance

This discovery widens the known infrastructure for high‑risk, China‑aligned espionage groups and reinforces the threat to telecommunications, critical infrastructure and enterprise networks. The clear WHOIS registration patterns provide defenders with practical indicators of compromise and a concrete threat‑hunting starting point. For security teams, the finding strengthens the need for retrospective DNS analysis and longer‑range telemetry retention to unearth long‑running intrusions.

Why should I read this?

Short answer: because if you care about catching long‑running intrusions, this is a freebie list of smoking‑gun domains and registration tricks to hunt for. Silent Push has done the digging — check your DNS logs, now. Miss it and you might be sitting on evidence of an undetected compromise.