Sophisticated Attack Pattern Revealed
Security researchers at Darktrace have uncovered what appears to be a sophisticated cyber espionage campaign targeting a European telecommunications provider, with evidence pointing to the China-linked threat actor known as Salt Typhoon. The group, which security experts have tracked since at least 2019, has previously compromised major American telecommunications companies, stealing metadata and sensitive information belonging to millions of citizens.
According to Darktrace’s threat intelligence team, the suspected spies exploited vulnerabilities in a Citrix NetScaler Gateway appliance during the first week of July 2025 to gain initial access to the telecom’s network. The timing coincides with a period when security teams were actively patching multiple critical vulnerabilities in Citrix products, though researchers couldn’t confirm which specific flaw was exploited in this incident.
Exploiting Critical Vulnerabilities
Nathaniel Jones, field CISO and VP of security and AI strategy at Darktrace, told The Register that defenders were concurrently patching recent NetScaler flaws during the suspected intrusion period. Citrix had been addressing multiple critical vulnerabilities throughout the summer of 2025, including CVE-2025-6543, a memory overflow flaw reportedly exploited in the wild, and CVE-2025-5777, dubbed CitrixBleed 2, which was quickly added to CISA’s Known Exploited Vulnerabilities catalog.
Security researcher Kevin Beaumont noted that CVE-2025-7775 had been exploited as a pre-authentication remote code execution vulnerability to plant web shells on unpatched systems. The Dutch National Cyber Security Centre warned that mass exploitation was likely, prompting urgent patching efforts across the industry. These industry developments in vulnerability management highlight the constant cat-and-mouse game between security teams and threat actors.
Advanced Persistence Techniques
After compromising the Citrix NetScaler appliance, the attackers pivoted to Citrix Virtual Delivery Agent hosts within the client’s Machine Creation Services subnet. Darktrace’s threat hunters noted that initial access activities originated from an endpoint potentially associated with the SoftEther VPN service, suggesting the group employed infrastructure obfuscation from the very beginning of their operation.
The suspected spies then deployed the SNAPPYBEE backdoor (also known as Deed RAT) to multiple Citrix VDA hosts. Trend Micro researchers have previously linked this modular backdoor to Salt Typhoon, and Darktrace’s analysis confirmed the connection through overlapping tactics, techniques, and procedures. The intrusion was detected and remediated before it could escalate further, resulting in minimal dwell time for the attackers.
Evasion and Command Control Methods
Darktrace’s report details how the intruders used DLL sideloading—a favorite Salt Typhoon technique—to deliver the backdoor to internal endpoints. This stealthy method involves tricking legitimate applications into loading malicious Dynamic Link Library files, allowing the execution of malware under the guise of trusted processes. In this case, the attackers leveraged legitimate antivirus software executables, including Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter, to evade detection.
The backdoor communicated with command and control servers using LightNode VPS endpoints over both HTTP and an unidentified TCP-based protocol. Darktrace identified compromised endpoints pinging the C2 host aar.gandhibludtric[.]com (38.54.63[.]75), which threat intelligence firm Silent Push had previously linked to Salt Typhoon among dozens of other domains. This recent technology for evasion demonstrates the group’s sophisticated approach to maintaining persistent access while avoiding detection.
Broader Context and Connections
This incident occurs amid growing concerns about telecommunications infrastructure security worldwide. Recent related innovations in security monitoring have helped organizations detect such sophisticated attacks earlier in the kill chain. The targeting of telecommunications companies represents a strategic focus for espionage groups seeking access to communication metadata and sensitive customer information.
Darktrace researchers assessed with moderate confidence that the observed activity was consistent with Salt Typhoon, also known as Earth Estries, ALA GhostEmperor, and UNC2286 in various threat intelligence communities. The assessment was based on overlaps in TTPs, staging patterns, infrastructure, and malware characteristics. As global market trends increasingly depend on secure digital infrastructure, such incidents highlight the critical importance of robust cybersecurity measures across the telecommunications sector.
This sophisticated campaign against European telecommunications infrastructure follows patterns seen in other recent cybersecurity incidents, including an international sting operation that disrupted telecommunications fraud networks. Meanwhile, technology companies continue to develop security-focused hardware, such as Fujitsu’s enterprise laptops with enhanced security features. The broader context includes international law enforcement efforts targeting cybercriminal infrastructure, demonstrating the global nature of modern cybersecurity challenges. For more detailed analysis of this specific threat group’s activities, security professionals can reference this comprehensive threat intelligence report on suspected Chinese cyber espionage operations targeting European infrastructure.
The rapid detection and containment of this intrusion demonstrates the value of advanced security monitoring systems, though it also underscores the persistent threat posed by sophisticated state-aligned cyber espionage groups targeting critical infrastructure worldwide.
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
