Salt Typhoon Targets European Telecoms via Citrix Exploit

A European telecommunications organization was recently targeted by a China-linked cyber espionage group known as Salt Typhoon, according to cybersecurity firm Darktrace. The incident, which occurred in early July 2025, demonstrates the group’s continued focus on critical infrastructure sectors and its use of advanced persistence techniques to evade detection.

Background on Salt Typhoon

Salt Typhoon—also tracked under aliases such as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807—is an advanced persistent threat (APT) group believed to operate on behalf of Chinese state interests.

Active since at least 2019, the group has targeted organizations in over 80 countries, spanning telecommunications, energy, and government networks. Salt Typhoon is particularly known for exploiting edge devices such as firewalls, VPNs, and remote access gateways to gain initial entry into enterprise systems, after which it maintains deep, long-term persistence to exfiltrate sensitive data.

Initial Intrusion: Citrix Exploitation

In the most recent attack, Salt Typhoon gained initial access by exploiting a vulnerability in a Citrix NetScaler Gateway appliance. Once inside, the threat actors pivoted laterally to Citrix Virtual Delivery Agent (VDA) hosts located within the target’s Machine Creation Services (MCS) subnet.

To conceal their origin and maintain command-and-control communications, the attackers used SoftEther VPN, a legitimate open-source VPN tool commonly abused by espionage groups for operational anonymity.

Malware Deployment: Snappybee (Deed RAT)

The attackers deployed a backdoor known as Snappybee, also referred to as Deed RAT—a suspected successor to the ShadowPad malware family previously used in multiple Chinese state-linked operations.

Snappybee was installed using a DLL side-loading technique, wherein malicious DLLs are executed through trusted software binaries. In this case, legitimate antivirus executables from Norton, Bkav, and IObit Malware Fighter were exploited to load the backdoor.

Once active, Snappybee established outbound communication to a remote command server (“aar.gandhibludtric[.]com”) using HTTP and an unidentified TCP-based protocol to enable remote control and data exfiltration.

Detection and Response

Darktrace reported that the malicious activity was detected and contained before escalation. The firm highlighted that Salt Typhoon’s techniques—particularly its abuse of legitimate security tools—make it challenging to identify using conventional detection systems.

Implications

The attack underscores the growing threat posed by China-nexus APTs to European telecommunications and critical infrastructure sectors. Organizations relying on Citrix or other remote access solutions are urged to:

• Apply the latest security patches promptly.

• Enforce network segmentation for virtual environments.

• Monitor for anomalous VPN and DLL loading activity.

As Salt Typhoon continues to evolve its tradecraft, defenders must adopt behavior-based detection and AI-driven analytics to identify stealthy, legitimate-tool abuse in enterprise environments.