New Infrastructure Discovery: Salt Typhoon (APT) - December 2025 Analysis
New Infrastructure Discovery: Salt Typhoon
(APT) - December 2025 Analysis
Recent telemetry and infrastructure tracking have identified a significant set of new network assets linked to the Chinese cyber-espionage actor known as Salt Typhoon (also tracked as FamousSparrow or GhostEmperor).
This update provides a breakdown of recently observed domains, their operational timeframes, and the low-density IP addresses utilized for Command and Control (C2) or staging operations.
Executive Summary
Salt Typhoon continues to demonstrate a high level of operational security, frequently cycling through low-density IP addresses and utilizing domains that mimic legitimate business or technical services. The infrastructure identified in this report spans from late 2021 through mid-2025, suggesting long-term persistence and planning for various campaign phases.
Infrastructure Breakdown
Below is the detailed list of domains and associated network artifacts.
| Domain | Observation Timeframe | Related IP Address |
|---|---|---|
| asparticrooftop[.]com | 2022-05-19 to 2023-05-17 | 172.93.165.13 |
| cloudprocenter[.]com | 2021-10-17 to 2021-11-19 | 92.38.160.50 |
| 2021-11-20 to 2021-12-09 | 165.154.230.21 | |
| 2021-12-10 to 2021-12-14 | 172.93.189.6 | |
| 2021-12-15 to 2022-06-28 | 91.245.255.13 | |
| 2022-06-30 to 2022-07-17 | 91.245.255.72 | |
| 2022-07-18 to 2022-07-24 | 92.38.139.216 | |
| 2022-08-04 to 2022-08-04 | 172.93.189.207 | |
| clubworkmistake[.]com | 2022-07-13 to 2022-08-10 | 203.20.113.208 |
| 2022-08-12 to 2022-08-16 | 96.9.211.4 | |
| 2022-08-17 to 2024-10-09 | 91.245.255.36 | |
| imap[.]dateupdata[.]com | 2024-08-08 to 2024-10-08 | 193.239.86.168 |
| followkoon[.]com | 2024-03-14 to 2025-03-13 | 103.113.85.216 |
| aar.gandhibludtric[.]com | 2025-05-05 to 2025-06-05 | 38.54.63.75 |
| hateupopred[.]com | 2021-11-12 to 2022-11-08 | 146.70.79.16 |
| infraredsen[.]com | 2024-12-03 to 2025-06-05 | 45.125.67.144 |
| pop3[.]materialplies[.]com | 2023-12-12 to 2025-06-05 | 103.159.133.251 |
| newhkdaily[.]com | 2022-07-21 to 2023-07-19 | 202.146.221.69 |
| pulseathermakf[.]com | 2022-04-26 to 2022-08-03 | 96.9.211.27 |
| 2022-08-04 to 2022-08-17 | 205.189.160.3 | |
| 2022-08-17 to 2023-09-21 | 146.70.79.105 | |
| 2023-09-21 to 2025-04-25 | 146.70.79.18 | |
| shalaordereport[.]com | 2022-06-07 to 2022-06-22 | 172.93.165.12 |
| 2022-06-23 to 2022-07-25 | 146.70.79.48 | |
| toodblackrun[.]com | 2022-07-21 to 2022-08-17 | 172.93.188.220 |
| 2022-08-17 to 2023-11-14 | 23.106.123.183 | |
| 2023-11-16 to 2024-01-23 | 193.56.255.165 | |
| 2024-01-25 to 2024-02-01 | 91.245.255.48 | |
| 2024-02-03 to 2025-06-03 | 91.245.255.50 | |
| unfeelmoonvd[.]com | 2023-02-10 to 2024-01-11 | 165.154.242.73 |
| 2024-01-12 to 2024-02-06 | 74.119.193.42 | |
| verfiedoccurr[.]com | 2021-11-17 to 2022-11-15 | 27.255.81.107 |
| waystrkeprosh[.]com | 2021-12-23 to 2022-12-21 | 96.9.211.15 |
| xdmgwctese[.]com | 2022-07-16 to 2022-08-16 | 172.93.188.241 |
| 2022-08-29 to 2023-10-10 | 91.245.255.32 |
Analysis and Defense Recommendations
The infrastructure reveals a preference for domains that appear "administrative" or "technical" in nature (e.g., cloudprocenter[.]com, verfiedoccurr[.]com). Many of these assets have been active for years, indicating that Salt Typhoon is successful in maintaining its operational infrastructure over extended periods.
Defensive Actions:
Network Filtering: Block the identified IPs and domains at the perimeter.
DNS Monitoring: Set up alerts for any internal resolution of the listed domains.
Log Analysis: Review historical traffic logs (NetFlow, Web Proxy, DNS) for connections to these indicators during the specified timeframes.
Stay tuned for more updates as I continue to track Salt Typhoon's activity.
Comments
Post a Comment