Cybersecurity research firm Darktrace has issued a report highlighting the ongoing threat posed by a state-sponsored group known as Salt Typhoon. This Advanced Persistent Threat (APT) group, suspected to be linked to the People’s Republic of China (PRC), continues to discover innovative methods to infiltrate critical infrastructure across the globe.
Salt Typhoon has been operational since at least 2019, primarily focusing on key sectors such as telecommunications, energy supply, and government systems in over 80 countries. Also known under aliases including Earth Estries and GhostEmperor, the group is noted for its advanced stealth techniques. Their strategies frequently involve the exploitation of custom tools and newly identified software vulnerabilities, including zero-day attacks, facilitating extended access to networks.
Salt Typhoon’s Expanding Threat Landscape
Earlier reports, including those by Hackread.com, have documented high-impact incursions by this group, such as the infiltration of a U.S. state’s Army National Guard network over nearly the entirety of 2024. Recent warnings from both the FBI and Canada’s Cyber Centre were issued in June 2025, indicating that Salt Typhoon consistently targets major global telecom infrastructures, including prominent U.S. companies like AT&T, Verizon, and T-Mobile, underlining the strategic nature of these operations.
Details of the July 2025 Intrusion Attempt
A recent blog post from Darktrace detailed an attempted intrusion targeting a European telecommunications organization, which commenced in the first week of July 2025. The attackers began by exploiting a vulnerability in a Citrix NetScaler Gateway appliance, which enabled them to advance into internal systems tied to Citrix Virtual Desktop environments.
Utilizing a SoftEther VPN service as a potential entry point to obscure their activities, the attackers deployed a malicious backdoor known as SNAPPYBEE (also referred to as Deed RAT) through a technique called DLL sideloading. This method cleverly hides malicious code within legitimate software, including well-known antivirus applications, allowing the threat to slip past conventional security measures.
After successful installation, the backdoor established communication with external servers, leveraging dual-channel setups to obfuscate its activity and evade detection.
The Importance of Timely Detection in Cyber Defense
Fortunately, the intrusion attempt was thwarted before it could escalate significantly. Darktrace’s anomaly-based detection system, known as Cyber AI Analyst, is adept at identifying minute deviations in standard network activity, successfully flagging the attack in its nascent stages.
Darktrace has emphasized that Salt Typhoon’s reliance on stealth, persistence, and the exploitation of legitimate tools makes it imperative for organizations to monitor for unusual network behavior. Thus, leveraging a detection strategy that extends beyond traditional signature matching becomes critical in identifying early signs of invisible threats.
Neil Pathare, Associate Principal Consultant at Black Duck, underscored the necessity of evolving from signature-based detection mechanisms to tackle intrusion activities. He advocates for implementing a zero-trust model to ensure ongoing verification and continuous monitoring for suspicious behaviors across networks and peripheral devices. This proactive strategy enables organizations to retain confidence in their software innovations while navigating the increasingly perilous cybersecurity landscape.
