APT IOC ANALYSIS REPORT

Salt Typhoon & UNC4841 IOC Analysis and Threat Hunting Report

China-Linked Cyber Espionage Infrastructure Analysis, IOC Validation, DNS Hunting, Infrastructure Correlation and Threat Intelligence Investigation

Analyst
Rajkumar G
Date
June 2026
Threat Actor
Salt Typhoon
Severity
Critical

Executive Summary

Silent Push researchers identified dozens of previously unreported domains associated with the Chinese state-sponsored threat actors Salt Typhoon and UNC4841. Through WHOIS analysis, SOA record correlation, infrastructure pivoting, DNS intelligence, and domain registration pattern analysis, researchers uncovered 45 domains and multiple IP addresses believed to support long-term cyber espionage operations.

Key Finding: The identified infrastructure was linked to long-term espionage campaigns targeting telecommunications providers, ISPs, governments, and critical infrastructure organizations worldwide.

Threat Overview

Investigation Timeline

2020

Earliest identified domain registrations linked to infrastructure.

2021 - 2023

Infrastructure expansion using fake personas, ProtonMail accounts and DNS hosting services.

2023

UNC4841 activity observed exploiting Barracuda Email Security Gateway vulnerabilities.

2024

Salt Typhoon compromises major telecommunications providers globally.

2025

Silent Push correlates infrastructure and discovers previously unreported domains.

IOC Domain Table

Type Indicator Confidence
Domain dateupdata.com High
Domain infraredsen.com High
Domain materialplies.com High
Domain pulseathermakf.com High
Domain cloudprocenter.com High
Domain followkoon.com High
Domain newhkdaily.com High
Domain clubworkmistake.com High
Domain gesturefavour.com High
Domain goldenunder.com High

Low-Density IP Indicators

IP Address Related Domain
172.93.165.13 asparticrooftop.com
92.38.160.50 cloudprocenter.com
45.125.67.144 infraredsen.com
103.113.85.216 followkoon.com
193.239.86.168 imap.dateupdata.com
202.146.221.69 newhkdaily.com

Infrastructure Correlation

Common Characteristics

MITRE ATT&CK Mapping

Tactic Technique
Initial Access T1190 Exploit Public Facing Application
Persistence T1098 Account Manipulation
Command & Control T1071 Application Layer Protocol
Credential Access T1555 Credentials from Password Stores
Discovery T1018 Remote System Discovery
Collection T1119 Automated Collection
Exfiltration T1041 Exfiltration Over C2 Channel

Threat Hunting Opportunities

SOC Detection Recommendations

Analyst Assessment

This investigation demonstrates advanced threat intelligence methodologies including WHOIS analysis, SOA record pivoting, DNS intelligence, infrastructure correlation, and attribution assessment. The discovered infrastructure strongly indicates long-term cyber espionage operations conducted by China-linked threat actors. Organizations operating telecommunications, government, defense, and critical infrastructure networks should prioritize retrospective DNS analysis against the identified indicators.

Risk Level: Critical
Threat Type: Nation-State Cyber Espionage
Confidence: High