A cyber intrusion linked to the China-based group Salt Typhoon has been identified by cybersecurity researchers, involving the exploitation of a Citrix NetScaler Gateway vulnerability.
The operation, observed by Darktrace, involved advanced methods such as DLL sideloading and zero-day exploits – known techniques the group uses to infiltrate systems while avoiding standard detection measures.
A Persistent Global Threat
Salt Typhoon, also known as Earth Estries, GhostEmperor and UNC2286, has been active since at least 2019.
The group is associated with a series of high-impact cyber campaigns directed at critical sectors, including telecommunications, energy and government systems, across more than 80 countries. While the United States has been a frequent target, recent activity shows a broader reach across Europe, the Middle East and Africa.
Its operations typically exploit vulnerabilities in technologies from vendors such as Citrix, Fortinet and Cisco.
The group has demonstrated long-term persistence in victim networks, using custom malware and advanced evasion techniques to collect sensitive data and, in some cases, disrupt essential services.
European Telecoms Under Fire
In a new advisory published today, Darktrace said it recorded intrusion activity within a European telecommunications organization that matched Salt Typhoon’s known tactics, techniques and procedures (TTPs).
The incident began in July 2025, when attackers exploited a Citrix NetScaler Gateway appliance. From there, they moved laterally to Citrix Virtual Delivery Agent hosts within the organization’s internal network. Infrastructure linked to the SoftEther VPN service was used to obscure the attackers’ origin.
The threat actors deployed a backdoor identified as SNAPPYBEE (also known as Deed RAT) through DLL sideloading, embedding malicious files alongside legitimate executables from antivirus products such as Norton, Bkav and IObit. This approach enabled the attackers to execute malicious code under trusted software, reducing the likelihood of detection.
Read more on advanced persistent threats (APTs): Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers
The deployed backdoor established communication with command-and-control (C2) servers using both HTTP and unidentified TCP-based protocols.
HTTP traffic included Internet Explorer User-Agent headers and URI patterns such as “/17ABE7F017ABE7F0.” One of the C2 domains, aar.gandhibludtric[.]com, was previously associated with Salt Typhoon infrastructure.
Broader Implications
Based on overlaps in tactics, infrastructure and malware, researchers assessed the activity as consistent with Salt Typhoon’s previous operations.
The case reflects the group’s continued focus on stealth and persistence through the abuse of legitimate software and layered communication methods.
“As attackers increasingly blend into normal operations, detecting behavioral anomalies becomes essential for identifying subtle deviations and correlating disparate signals,” Darktrace warned.
“This intrusion highlights the importance of proactive defense, where anomaly-based detections, not just signature matching, play a critical role in surfacing early-stage activity.”
