Netcrook Logo
👤 NEXUSGUARDIAN
🗓️ 09 Sep 2025  

Salt Typhoon’s Secret Web: 45 Hidden Domains Unveil Years of Chinese Cyber Espionage

A new cache of domains reveals the reach and persistence of a state-backed hacking group targeting the West for years.

Fast Facts

  • Researchers uncovered 45 previously unknown domains linked to Chinese cyber espionage group Salt Typhoon.
  • Some domains date back to May 2020, revealing years of covert operations.
  • Salt Typhoon is believed to be run by China’s Ministry of State Security.
  • Related infrastructure overlaps with UNC4841, notorious for exploiting Barracuda security flaws.
  • Fake identities and encrypted email services were used to register the domains.

The Digital Spiderweb: Unraveling Salt Typhoon’s Hidden Infrastructure

Imagine the internet as a vast city, its avenues and alleyways lined with doors - some marked, some hidden in plain sight. For years, a shadowy group known as Salt Typhoon quietly slipped through these unseen portals, leaving almost no trace. Now, a fresh trove of evidence has illuminated their secret pathways: 45 domains, newly discovered but long active, exposing a cyber espionage campaign that has quietly threaded itself into the fabric of global communications since at least 2020.

Behind the Scenes: China’s Persistent Digital Surveillance

Salt Typhoon, sometimes traced under names like Earth Estries or GhostEmperor, is believed to operate under the auspices of China’s Ministry of State Security. The group first came to broader attention in 2023 for targeting American telecommunications providers, but this latest discovery shows their roots run deeper. According to threat intelligence firm Silent Push, the oldest of the 45 domains was registered as far back as May 2020, with several others spun up over the subsequent years.

These domains, digital signposts on the web, were often registered using fake personas and anonymous email accounts - including Proton Mail addresses - designed to throw off investigators. For example, one domain, onlineeylity[.]com, was registered under the name “Monica Burch” at a fictitious Los Angeles address. This use of false identities is a classic hallmark of state-sponsored cyber operations, allowing attackers to mask their true origins and intentions.

Patterns and Parallels: Old Tactics, New Threats

The infrastructure shows overlap with another Chinese-linked group, UNC4841, infamous for exploiting a critical zero-day vulnerability in Barracuda’s Email Security Gateway in 2023. Both groups used clusters of domains pointing to so-called “high-density” IP addresses - servers that host many websites, making it harder to spot malicious traffic. This camouflage technique is reminiscent of previous campaigns attributed to China, such as the sprawling attacks on Microsoft Exchange servers in 2021 and the “FamousSparrow” campaigns targeting hotels and governments worldwide.

Credible reports from security analysts, including Mandiant and CrowdStrike, have repeatedly warned that China’s cyber espionage efforts are not only persistent but adaptive, shifting tactics as defenses evolve. The discovery of these hidden domains underscores a simple truth: even as old infrastructure is burned, new doors quietly open elsewhere.

Geopolitics in the Wires: Why It Matters

Salt Typhoon’s campaign is more than a technical feat - it’s a chess move in a broader geopolitical contest. By targeting telecommunications and government entities, groups like Salt Typhoon aim to gather intelligence, disrupt rivals, and exert influence beyond their borders. As Silent Push urges, organizations at risk should comb through their digital histories for any sign of these domains. In the high-stakes game of cyber espionage, the best defense begins with knowing where the shadows fall.

The digital footprints left by Salt Typhoon remind us that the internet’s hidden back alleys can shelter adversaries for years. Only by turning over every stone - and every domain - can defenders hope to keep pace with the world’s most patient and persistent hackers.

WIKICROOK

  • Domain: A domain is a unique internet address, like example.com, used to identify and access websites or online services easily.
  • Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
  • IP address: An IP address is a unique numerical label assigned to each device on a network, acting like an online street address for sending and receiving data.
  • Fake persona: A fake persona is a made-up identity used online to hide someone's real information, often for fraudulent, deceptive, or covert activities.
  • State: A 'state' in cybersecurity refers to a government backing or conducting cyber attacks to gather intelligence or disrupt adversaries for political or strategic gain.
NEXUSGUARDIAN NEXUSGUARDIAN
Supply Chain Security Architect
← Back to news