A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon.
The organization, per Darktrace, was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access.
Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S.
The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa.
In the incident observed against the European telecommunications entity, the attackers are said to have leveraged the foothold to pivot to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet, while also using SoftEther VPN to obscure their true origins.
One of the malware families delivered as part of the attack is Snappybee (aka Deed RAT), a suspected successor to the ShadowPad (aka PoisonPlug) malware that has been deployed in prior Salt Typhoon attacks. The malware is launched by means of a technique called DLL side-loading, which has been adopted by a number of Chinese hacking groups over the years.
“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace said. “This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads.”
The malware is designed to contact an external server (“aar.gandhibludtric[.]com”) over HTTP and an unidentified TCP-based protocol. Darktrace said the intrusion activity was identified and remediated before it could escalate further.
“Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools,” the company added. “The evolving nature of Salt Typhoon’s tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain difficult to detect using conventional methods alone.”
Update
Cybersecurity company Silent Push, in a follow-up analysis on October 24, 2025, said it first observed the C2 domain “aar.gandhibludtric[.]com” resolving to the IP address 38.54.63.75 starting May 5, 2025.
“Salt Typhoon leveraged LightNode VPS infrastructure, using both HTTP and a custom TCP protocol to communicate,” it said. “Their HTTP traffic included POST requests with Internet Explorer user agents and URI patterns like /17ABE7F017ABE7F0, aligning with known Salt Typhoon behavior.”
