- Silent push without covering 45 domains used by Chinese Aptos groups for long -term cyberdolvo
- The domains were recorded with false identities and linked to low density IP for stealthy operations C2
- Organizations are urged to review five years of DNS records to obtain compromise signs
Security researchers recently found 45 domains, some years, which were used as part of Typhoon Salt cyber -aspiration campaigns.
Earlier this week, the Silent Push cybersecurity team published an in -depth report after discovering a dozen uninformed domains that were part of the command and control infrastructure (C2) used by Chinese APT groups to maintain long -term and stealthy access to committed systems.
In addition to Salt Typhoon, a group tracked as UNC4841 apparently also used the same domains, which allowed them to remotely administer the malware, extended the data and will persist within the networks without detection.
DNS record verification
When analyzing the When and Soa records, Silent Push found domains that date back to May 2020, some of which were recorded using false characters such as Shawn Francis or Monica Burch. Others were recorded using protonmail addresses, often with non -existent postal addresses in the US.
Some domains falsified legitimate entities, such as Newhkdaily[dot]com, which may have been used for psychological operations or propaganda, the researchers underlined.
“The domains date back to several years, with the oldest registration activity that occurs in May 2020, confirming even more than the 2024 Typhoon attacks were not the first activity carried out by this group,” they said in the report.
Silent Push also said that domains shared low density IP directions, which means they were scarcely populated and probably dedicated to malicious activities.
The company now urges all organizations to search their DNS records and telemetry data, going five years, for any activity sign that involves the 45 newly identified domains or their subdomains.
This includes the search for DNS requests to any of the listed domains, connections with associated IP addresses (especially during the time when the domains were active), as well as patterns that coincide with the low -density IP infrastructure described in the report.
Although the infrastructure is likely that it is no longer active, the historical data of the DNS can reveal past commitments or continuous persistence, and the organizations that find coincidences can take measures to investigate, contain and remedy any persistent threat.
Through The hacker news
