Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Darktrace Reports on Compromise of Citrix NetScaler Gateway
Recent reports from the managed threat detection firm Darktrace indicate that a persistent campaign by the Chinese cyber espionage group known as Salt Typhoon continues unabated, specifically targeting telecommunications companies worldwide.
In a statement issued on Monday, Darktrace highlighted that they detected signs of activity indicative of Salt Typhoon in July, linked to a breach involving a European telecom operator. This group, also known as Earth Estries, GhostEmperor, and UNC2286, is believed to be operating with the support of multiple private hacking firms, which cater to various Chinese government entities, as revealed by analyses of previously leaked data.
Salt Typhoon has historically identified telecoms and critical digital infrastructure as primary targets, gaining notoriety after compromising nine U.S. telecom servers in a wide-ranging attack made public in December 2024. An advisory issued by the Five Eyes intelligence alliance and affiliated partners in August highlighted that Salt Typhoon actively monitors global communications and movements, raising alarms about its capabilities.
Recurring targets include technological components such as Cisco switches, Ivanti network gateways, and systems underpinning Palo Alto Networks devices. The methodology employed by Salt Typhoon reflects advanced techniques consistent with various tactics outlined in the MITRE ATT&CK framework, such as initial access, persistence, and privilege escalation.
For the specific incident involving the European telecom, it is believed that the cyber actors initiated a compromise via the Citrix NetScaler Gateway, subsequently pivoting to the Citrix Virtual Delivery Agent hosts within the client’s Machine Creation Services subnet, crucial for delivering virtual desktop environments.
A distinguishing tactic of Salt Typhoon is its reliance on “living off the land” strategies, wherein native tools are exploited for unauthorized access. In this instance, hackers utilized legitimate antivirus executables for DLL side-loading, enabling them to execute their payloads surreptitiously.
The hackers also embedded a backdoor within the telecom’s infrastructure, which communicated via virtual private servers over HTTP and an undisclosed TCP-based control mechanism. Darktrace notes this layered approach aligns with Salt Typhoon’s known propensity for employing non-standard protocols to avoid detection.
While Darktrace did not specify the exact vulnerability exploited in the Citrix NetScaler Gateway, the firm had previously issued patches for two vulnerabilities, CVE-2025-5777 and CVE-2025-6543, which allowed for multifactor authentication bypass and unauthorized access when exploited. Such vulnerabilities underscore the importance of robust security measures in safeguarding against ever-evolving cyber threats.
