Sep 09, 2025Ravie LakshmananCyber Espionage / Telecom Safety
Risk hunters have found a set of beforehand unreported domains, some going again to Might 2020, which are related to China-linked risk actors Salt Hurricane and UNC4841.
“The domains date again a number of years, with the oldest registration exercise occurring in Might 2020, additional confirming that the 2024 Salt Hurricane assaults weren’t the primary exercise carried out by this group,” Silent Push mentioned in a brand new evaluation shared with The Hacker Information.
The recognized infrastructure, totaling 45 domains, has additionally been recognized as sharing some stage of overlap with one other China-associated hacking group tracked as UNC4841, which is finest recognized for its zero-day exploitation of a safety flaw in Barracuda E-mail Safety Gateway (ESG) home equipment (CVE-2023-2868, CVSS rating: 9.8).
Salt Hurricane, energetic since 2019, drew widespread consideration final yr for its concentrating on of telecommunications companies suppliers within the U.S. Believed to be operated by China’s Ministry of State Safety (MSS), the risk cluster shares similarities with actions tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807.
Silent Push mentioned it recognized three Proton Mail e-mail addresses that have been used to register as many as 16 domains with non-existent addresses.
Additional examination of the IP addresses associated to the 45 domains has revealed that many of those domains pointed to high-density IP addresses. These check with IP addresses to which a excessive variety of hostnames at present level, or have pointed prior to now. Of those who pointed to low-density IP addresses, the earliest exercise goes again to October 2021.
The oldest area recognized as being a part of China-backed cyber espionage campaigns is onlineeylity[.]com, registered on Might 19, 2020, by a pretend persona named Monica Burch, who claims to reside at 1294 Koontz Lane in Los Angeles, California.
“As such, we strongly urge any group that believes itself to be prone to Chinese language espionage to look its DNS logs for the previous 5 years for requests to any of the domains in our archive feed, or their subdomains,” Silent Push mentioned.
“It could even be prudent to verify for requests to any of the listed IP addresses, notably through the time durations wherein this actor operated them.”
