China-linked Salt Typhoon hacked a European telecom in July 2025 via a Citrix NetScaler Gateway exploit for initial access.
A European telecom firm was targeted in July 2025 by China-linked APT group Salt Typhoon (also known as Earth Estries, FamousSparrow, GhostEmperor, UNC5807, RedMike)), which exploited a Citrix NetScaler Gateway to gain initial access.
In late 2024, a large-scale Chinese cyberespionage campaign targeted global telecoms was exposed and attributed by the US to state-backed group Salt Typhoon.
In December 2024, President Biden’s deputy national security adviser Anne Neuberger said that China-linked APT group Salt Typhoon breached telecommunications companies in dozens of countries.
The Wall Street Journal reported that the senior White House official revealed that at least eight U.S. telecommunications firms were compromised in the attack.
The Salt Typhoon hacking campaign, active for 1–2 years, has targeted telecommunications providers in several dozen countries, according to a U.S. official.
Darktrace detected cyber espionage activity targeting a European telecom firm in July 2025, consistent with China-linked Salt Typhoon tactics.
The attackers exploited a Citrix NetScaler Gateway for initial access, pivoting to Citrix VDA hosts via a SoftEther VPN endpoint.
“The intrusion likely began with exploitation of a Citrix NetScaler Gateway appliance in the first week of July 2025. From there, the actor pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet.” reads the report published by DarkTrace. “Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset.”
The nation-state actors deployed the SNAPPYBEE (Deed RAT) backdoor through DLL sideloading using legitimate antivirus executables (Norton, Bkav, IObit) to evade detection.
The attackers used LightNode VPS servers for C2, communicating via HTTP and an unknown TCP protocol to evade detection. The backdoor sent POST requests mimicking Internet Explorer traffic, with URIs like “/17ABE7F017ABE7F0”. One C2 domain, aar.gandhibludtric[.]com (38.54.63[.]75), was tied to Salt Typhoon.
Darktrace’s AI identified and mitigated the intrusion before escalation.
Darktrace believes the attack was likely carried out by the China-linked group Salt Typhoon (also known as Earth Estries), based on similarities in tools, methods, and infrastructure. The group is known for its stealth and use of legitimate software to hide its actions. The incident shows why traditional, signature-based security isn’t enough—detecting unusual behavior early is key to stopping such advanced threats.
“Based on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate confidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA GhostEmperor/UNC2286).” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Laisser un commentaire