China-linked espionage group Salt Typhoon successfully breached a European telecommunications firm in July 2025, continuing a widespread global campaign that has been active for at least a year. This incident follows a major exposure in late 2024 when the U.S. attributed a large-scale cyberespionage campaign targeting global telecoms to the state-backed group. At that time, a senior White House official, Anne Neuberger, revealed that Salt Typhoon had compromised telecommunications companies in dozens of countries, including at least eight U.S. firms. The group, also tracked as Earth Estries, FamousSparrow, and GhostEmperor, has demonstrated a sustained focus on this sector worldwide.
The initial breach in July 2025 was facilitated by exploiting a vulnerability in a Citrix NetScaler Gateway appliance. Darktrace, which detected the intrusion, noted that the attack likely began in the first week of July. After gaining a foothold through the gateway, the attackers quickly pivoted to Citrix Virtual Delivery Agent (VDA) hosts within the client’s network. Compounding their stealth, the initial access activities originated from an endpoint potentially associated with the SoftEther VPN service, suggesting the attackers used infrastructure obfuscation techniques from the very beginning of the operation.
To maintain persistence and control, the nation-state actors deployed a custom backdoor named SNAPPYBEE (also known as Deed RAT). This malware was delivered using a sophisticated technique known as DLL sideloading, where the attackers leverage legitimate antivirus executables from brands like Norton, Bkav, and IObit to load their malicious code. By piggybacking on trusted software, they aimed to bypass traditional security controls that might flag unknown executables, making the deployment significantly stealthier and harder to trace.
For command and control (C2), the attackers relied on LightNode VPS servers. They communicated via both standard HTTP and an unknown TCP protocol, a tactic designed to confuse or evade detection systems. The SNAPPYBEE backdoor was observed sending HTTP POST requests that were carefully crafted to mimic legitimate Internet Explorer traffic, further blending in with normal network activity. One C2 domain, aar.gandhibludtric[.]com, and its associated IP address were specifically tied back to the Salt Typhoon group, adding to the evidence for the attribution.
Darktrace’s security platform ultimately identified the sophisticated cyber espionage activity and successfully mitigated the intrusion before the attackers could escalate their actions or achieve their ultimate goals. Based on overlaps in tactics, techniques, procedures (TTPs), staging patterns, infrastructure, and the specific malware used, Darktrace assessed with moderate confidence that the activity was consistent with the known operations of Salt Typhoon (Earth Estries). The incident underscores the critical need for security solutions that move beyond traditional, signature-based defenses to detect and stop advanced persistent threats, highlighting that early detection of unusual behavior is essential for thwarting stealthy, nation-state actors.
Reference:
