CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Salt Typhoon and UNC4841 domains reveal longstanding cyber espionage infrastructure

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A set of 45 previously unreported domains, some dating back to May 2020, have been linked to China-linked threat actors Salt Typhoon and UNC4841. These domains indicate a longstanding cyber espionage campaign targeting telecommunications and other sectors. The domains were used to facilitate various malicious activities, including zero-day exploitation and phishing. The infrastructure overlaps with known TTPs of other China-associated groups, suggesting coordinated efforts. The oldest domain, onlineeylity[.]com, was registered in May 2020 using a fake persona. Organizations are advised to review DNS logs for potential compromises.

Timeline

  1. 09.09.2025 03:27 1 articles · 23d ago

    45 previously unreported domains linked to Salt Typhoon and UNC4841 cyber espionage

    A set of 45 previously unreported domains, dating back to May 2020, have been identified as part of a longstanding cyber espionage campaign by Salt Typhoon and UNC4841. These domains indicate earlier activity than previously known, with the oldest domain, onlineeylity[.]com, registered on May 19, 2020. The infrastructure overlaps with known TTPs of other China-associated groups, suggesting coordinated efforts. Organizations are advised to review DNS logs for potential compromises.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

PyPI implements expired domain checks to prevent account takeovers and supply chain attacks

The Python Package Index (PyPI) has implemented a new security measure to check for expired domains, blocking over 1,800 email addresses tied to expired domains since June 2025. This update targets domain resurrection attacks, where malicious actors exploit expired domains to gain unauthorized access to PyPI accounts. PyPI uses Domainr's Status API to determine a domain's lifecycle stage and mark email addresses as unverified, preventing password resets and other account recovery actions. Users are advised to enable two-factor authentication (2FA) and add a secondary verified email address from a notable domain to enhance security. Additionally, PyPI has warned of a new wave of phishing attacks using fake websites to steal user credentials, advising users to change passwords and use phishing-resistant 2FA methods.

Open in new tab