| |

Chinese Salt Typhoon and UNC4841 Hackers Collaborate to Target Government and Corporate Infrastructure

ByAdmin

In late 2024, cybersecurity researchers began monitoring a sophisticated campaign targeting government and corporate networks across multiple continents. The threat actors, known as Salt Typhoon and UNC4841, utilised overlapping infrastructure and shared tactics to enhance their stealth and persistence. Initial infiltration was achieved by exploiting unpatched remote code execution vulnerabilities in public-facing servers, followed by the deployment of custom backdoors. Affected organisations reported unusual DNS queries and unexplained outbound HTTPS traffic to domains such as Pulseathermakf[.]com and Infraredsen[.]com, which were later linked to Salt Typhoon’s command-and-control (C2) network. Analysts from Silent Push noted that the adversaries often exploited a zero-day flaw in enterprise email gateways, with one incident involving UNC4841 exploiting CVE-2023-2868 in the Barracuda Email Security Gateway Appliance to gain initial access.

Post-exploitation, the attackers uploaded a tailored rootkit named Demodex, enabling kernel-level persistence and evasion of host-based detection mechanisms. Concurrently, Salt Typhoon deployed two additional backdoors—Snappybee and Ghostspider—designed to blend into legitimate traffic patterns by communicating over standard ports and employing randomised HTTP headers to evade signature-based detection. Silent Push researchers identified a convergence between the two groups when domain registration records revealed shared email registrants and SOA mbox entries linked to nonsensical ProtonMail addresses. This infrastructure overlap indicated a coordinated effort or resource sharing between the two Advanced Persistent Threat (APT) clusters. By correlating WHOIS data with DNS A-record lookups, analysts uncovered over 45 previously unreported domains associated with both threat actors, thereby expanding the known indicator set for proactive defence measures. 

Categories: Cybersecurity Threats, Malware and Exploits, Command and Control Infrastructure 

Tags: Cybersecurity, Salt Typhoon, UNC4841, Remote Code Execution, Backdoors, Command-and-Control, Zero-Day Flaw, Rootkit, Infection Chain, DNS Queries 

Similar Posts

| |

Sure! Here’s a rephrased version of your title that is optimized for SEO: “Technical Overview of SAP 0-Day Exploitation Script for Achieving Remote Code Execution (RCE)” Feel free to let me know if you need further adjustments or additional content!

Leave a Reply

Your email address will not be published. Required fields are marked *