A European telecommunications organization recently faced an attack from a threat actor that aligns with the China-nexus cyber espionage group known as Salt Typhoon.
According to Darktrace, the attackers struck in the first week of July 2025, exploiting a Citrix NetScaler Gateway appliance to gain initial access.
Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, represents an advanced persistent threat group with strong ties to China. The group has operated actively since 2019 and gained prominence last year after launching attacks on telecommunications service providers, energy networks, and government systems across the United States.
Over time, the Adversary has built a reputation for Exploiting security flaws in edge devices, Maintaining deep Persistence, and Exfiltrating sensitive data from victims in more than 80 countries Spanning North America, Europe, the Middle East, and Africa.
During the incident targeting the European Telecommunications entity, the Attackers Leveraged their initial Foothold to pivot into Citrix Virtual Delivery Agent (VDA) hosts within the client’s Machine Creation Services (MCS) subnet. They also used SoftEther VPN to conceal their true origins and maintain Operational stealth.
As part of the attack, the threat actors delivered a malware family known as Snappybee (aka Deed RAT). Analysts suspect this strain to be the Successor to ShadowPad (aka PoisonPlug), malware previously linked to Salt Typhoon operations. The Attackers Deployed the malware through a DLL Side-loading technique, a method widely adopted by several Chinese hacking groups over the years.
“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace explained. “This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads.”
The malware attempts to contact an external server, “aar.gandhibludtric[.]com,” using HTTP and an unidentified TCP-based protocol. Darktrace detected and Remediated the Intrusion before the Attackers could Escalate their access any further.
“Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools,” the company noted. “The evolving nature of Salt Typhoon’s tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain difficult to detect using conventional methods alone.”
Source: TheHackerNews
Read more at Impreza News
