Advanced Persistent Threat Group Expands Global Operations
Security researchers have uncovered a sophisticated cyber espionage campaign targeting a major European telecommunications provider, with evidence pointing to the China-linked threat actor known as Salt Typhoon. The group, which has been active since at least 2019, has previously compromised major American telecommunications companies and stolen metadata belonging to nearly every American citizen according to FBI officials.
Darktrace’s AI-powered security research team detected the intrusion in July 2025, where attackers exploited vulnerabilities in Citrix NetScaler Gateway appliances to gain initial access to the telecom’s network. The timing coincides with a series of critical patches Citrix released throughout the summer addressing multiple security flaws that attackers had already begun exploiting in wild.
Technical Attack Methodology Revealed
According to Darktrace’s investigation, the attackers demonstrated sophisticated tradecraft from the outset. “Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the beginning,” the threat hunters noted in their technical analysis.
Nathaniel Jones, Darktrace’s field CISO and VP of security and AI strategy, confirmed to The Register that while they didn’t identify the specific vulnerability used, the timing aligned with defenders patching recent NetScaler flaws including CVE-2025-5349 and CVE-2025-5777 in June. The attack methodology shows how emerging threats continue to evolve in sophistication.
Multi-Stage Compromise and Backdoor Deployment
After compromising the Citrix NetScaler appliance, the attackers pivoted to Citrix Virtual Delivery Agent (VDA) hosts within the client’s Machine Creation Services (MCS) subnet. The suspected spies then deployed the SNAPPYBEE backdoor (also known as Deed RAT) to multiple Citrix VDA hosts, establishing command and control (C2) infrastructure before Darktrace’s systems flagged the activity.
Trend Micro researchers had previously linked this modular backdoor to Salt Typhoon operations. The intruders employed DLL sideloading—a favored Salt Typhoon technique—to deliver the backdoor to internal endpoints. This stealthy method involves tricking legitimate applications into loading malicious Dynamic Link Library files, with the attackers specifically using antivirus software including Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter as cover.
Evasion Techniques and Infrastructure Analysis
The backdoor utilized LightNode VPS endpoints for C2 communications, employing both HTTP and an unidentified TCP-based protocol to evade detection. Darktrace identified compromised endpoints communicating with aar.gandhibludtric[.]com (38.54.63[.]75), one of dozens of domains that threat intelligence firm Silent Push recently linked to Salt Typhoon.
These sophisticated evasion methods demonstrate how threat actors are increasingly leveraging advanced technological developments to conceal their activities. The security community continues to monitor these evolving tactics as they represent significant challenges for network defenders.
Attribution and Confidence Assessment
Darktrace researchers assessed with moderate confidence that the observed activity aligns with Salt Typhoon (also tracked as Earth Estries, ALA GhostEmperor, and UNC2286) based on overlaps in tactics, techniques, procedures (TTPs), staging patterns, infrastructure, and malware. This attribution is consistent with previous reporting on the group’s activities across more than 80 countries.
The European telecom intrusion represents the latest indication that Salt Typhoon remains actively targeting high-value networks worldwide. Security professionals should note that these sophisticated attack vectors continue to threaten critical infrastructure sectors globally.
Defensive Success and Broader Implications
Importantly, Darktrace’s security platform identified and stopped the intrusion during its early stages, preventing escalation and eliminating dwell time. This successful detection highlights the importance of advanced monitoring capabilities in modern cybersecurity defense strategies.
The incident underscores the critical need for organizations to maintain rigorous patch management practices, particularly for internet-facing systems like Citrix NetScaler Gateways. As managed service providers face increasing threats, the broader security community must remain vigilant against these sophisticated state-sponsored campaigns.
For organizations seeking to strengthen their defenses against similar threats, comprehensive security solutions that incorporate advanced behavioral analysis and threat intelligence integration provide critical protection layers against evolving espionage campaigns.
Security teams worldwide continue to monitor Salt Typhoon’s activities as the group demonstrates persistent capability to compromise high-value targets across multiple sectors and geographic regions.
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
