Threat hunters have uncovered 45 domains linked to China-backed groups Salt Typhoon and UNC4841, some dating as far back as May 2020.

According to new research from Silent Push, the findings confirm that Salt Typhoon’s 2024 cyberattacks were part of a much longer campaign. The group, active since 2019 and believed to be tied to China’s Ministry of State Security, has previously targeted U.S. telecommunications providers and shares tactics with other well-known clusters like GhostEmperor and FamousSparrow.

The analysis revealed that several of the domains overlap with UNC4841, a group infamous for exploiting a Barracuda Email Security Gateway zero-day vulnerability (CVE-2023-2868). Investigators also identified three Proton Mail accounts tied to 16 of the domains, registered with fake identities and addresses. Many of the domains resolved to high-density IP addresses, while others traced back to low-density IPs with the earliest activity seen in October 2021.

The oldest domain in the campaign, onlineeylity[.]com, was registered in May 2020 using a fake persona. Silent Push advises organizations concerned about Chinese espionage to review DNS logs for requests to these domains or related subdomains over the past five years. The firm also recommends checking for connections to the associated IP addresses during the periods they were active, to better detect possible compromise.