A European telecommunications organization is said to have been targeted by threat actors affiliated with a Chinese-aligned cyber-espionage group known as Salt Typhoon.
According to Darktrace, the organization was targeted in the first week of July 2025, and the attackers gained initial access by exploiting the Citrix NetScaler Gateway appliance.
Salt Typhoon, also known as Earth Estries, FamousSparrow, Ghostemperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. The group has been known to be active since 2019 and rose to prominence last year following attacks on telecommunications service providers, energy networks, and government systems in the United States.
This attacker has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa.
In this incident observed against a European telecommunications operator, the attackers allegedly used that foothold to move to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet, while simultaneously using SoftEther VPN to hide their true origin.
One of the malware families delivered as part of the attack is Snappybee (aka Deed RAT), which appears to be a successor to the ShadowPad (aka PoisonPlug) malware introduced in the previous Salt Typhoon attack. The malware is launched using a technique called DLL sideloading. This technique has been adopted by many Chinese hacking groups over the years.
“The backdoor was delivered to these internal endpoints as a DLL, along with legitimate executables from antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace said. “This pattern of activity indicates that the attackers rely on DLL sideloading through legitimate antivirus software to execute their payloads.”
This malware is designed to connect to an external server (‘aar.gandhibludtric’).[.]Darktrace said the intrusion was identified and remediated before it escalated further.
“Salt Typhoon continues to challenge defenders with its stealth, tenacity, and misuse of legitimate tools,” the company added. “The evolving nature of Salt Typhoon tradecraft and its ability to reuse trusted software and infrastructure ensure that it will continue to be difficult to detect using traditional methods alone.”
Source link
