Salt Typhoon Intrusion Attempt on European Telecommunications Provider via Citrix NetScaler Exploit

Salt Typhoon, a Chinese state-linked advanced persistent threat (APT) group, attempted to infiltrate a European telecommunications organization by exploiting a vulnerability in a Citrix NetScaler Gateway appliance. The attack was first detected by Darktrace in July 2025, when threat activity consistent with Salt Typhoon’s known tactics, techniques, and procedures (TTPs) was observed. The group, also known as Earth Estries, GhostEmperor, and UNC2286, has a history of targeting telecoms and digital infrastructure globally, with previous campaigns against U.S. telecoms and ongoing interest in European targets. Initial access was achieved through the exploitation of the Citrix NetScaler Gateway, a method frequently used by Salt Typhoon to compromise network equipment. After breaching the gateway, the attackers moved laterally within the organization, targeting Citrix Virtual Delivery Agent hosts in the Machine Creation Services (MCS) subnet. The group deployed the SNAPPYBEE (also known as Deed RAT) backdoor, a tool commonly shared among Chinese APT groups, to establish command and control (C2) within the compromised environment. The C2 infrastructure utilized LightNode VPS endpoints and communicated over both HTTP and an unidentified TCP-based protocol, demonstrating the group’s use of non-standard and layered protocols to evade detection. To maintain stealth and persistence, Salt Typhoon employed DLL sideloading techniques, delivering malicious DLLs alongside legitimate antivirus executables such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This allowed the attackers to execute their payloads under the guise of trusted software, bypassing traditional security controls. The group’s tactics included abusing legitimate software for stealth and execution, a hallmark of their operations. Darktrace analysts noted that the pattern of activity closely matched Salt Typhoon’s previous campaigns, reinforcing attribution to the group. The intrusion was detected before the attackers could achieve deeper compromise or exfiltrate sensitive data, highlighting the importance of proactive threat detection. The incident underscores the persistent threat posed by Chinese cyberespionage actors to the telecommunications sector, particularly through the exploitation of known vulnerabilities in widely used network appliances. The Five Eyes intelligence alliance and other international partners have previously warned about Salt Typhoon’s global targeting of communications infrastructure. The group’s operations are believed to be conducted by private hacking firms contracted by Chinese government agencies, as revealed by earlier data leaks. The attempted breach demonstrates the evolving sophistication of state-sponsored cyber operations and the need for robust security measures in critical infrastructure sectors. The use of advanced lateral movement, stealthy persistence mechanisms, and shared malware tools reflects the group’s technical capabilities. The incident also highlights the value of threat intelligence sharing and rapid response in mitigating nation-state cyber threats. Ongoing monitoring and patching of network equipment vulnerabilities remain essential defenses against such targeted attacks. The European telecom’s timely detection and response prevented further escalation and potential operational impact. This event adds to the growing body of evidence regarding Salt Typhoon’s focus on global telecommunications espionage.