A European telecommunications company has reportedly fallen victim to a cyber intrusion attributed to a threat actor associated with the China-linked group known as Salt Typhoon.
This incident, as reported by Darktrace, took place during the first week of July 2025. Attackers exploited a vulnerability in a Citrix NetScaler Gateway appliance to gain initial access to the organization’s network.
Salt Typhoon, also recognized by several other names including Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, represents a sophisticated persistent threat actor with roots in China. Active since 2019, this group has gained notoriety for its targeted attacks on telecommunications, energy sectors, and governmental infrastructures in the United States.
The group’s strategy involves exploiting vulnerabilities in edge devices, facilitating persistent access, and exfiltrating sensitive information from victims located in over 80 countries across North America, Europe, the Middle East, and Africa.
In the recent attack against the European telecommunications entity, the adversaries reportedly leveraged their foothold to transition into the Citrix Virtual Delivery Agent (VDA) hosts within the client’s Machine Creation Services (MCS) subnet. They used SoftEther VPN as a means of obfuscating their true origins.
Integral to the operation was the delivery of the Snappybee malware, also referred to as Deed RAT, which is speculated to be a successor to the previously utilized ShadowPad (or PoisonPlug) malware, known for its employment in earlier attacks linked to Salt Typhoon. This malware utilizes a DLL side-loading technique, a tactic often adopted by various Chinese hacking factions over the years.
According to Darktrace, the backdoor was introduced to internal systems disguised alongside legitimate executable files for antivirus solutions such as Norton Antivirus and IObit Malware Fighter. This method indicates the attackers’ reliance on DLL side-loading techniques via trusted software to activate their malicious payloads.
The Snappybee malware is designed to connect to an external server (“aar.gandhibludtric[.]com”) using HTTP and an unspecified TCP-based protocol. Fortunately, the malicious activity was detected and contained before it could cause extensive damage.
Darktrace emphasized that Salt Typhoon continues to challenge cybersecurity defenders through its stealthy methods, persistence, and manipulation of legitimate tools. The evolving tactics employed by Salt Typhoon, along with its capability to repurpose trusted software, highlight the need for enhanced detection methods that go beyond conventional strategies.
