In July 2025, a European telecommunications organization was targeted by Salt Typhoon, a cyber espionage group with links to China. The attackers exploited a Citrix NetScaler Gateway appliance to gain initial access, allowing them to penetrate deeper into the organization’s infrastructure.
Attack Methodology
Salt Typhoon's operation involved compromising Citrix Virtual Delivery Agent (VDA) hosts located in the client's Machine Creation Services (MCS) subnet. They utilized DLL side-loading alongside legitimate antivirus executables such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter to obscure their origins. The goal was to deliver Snappybee (also known as Deed RAT), suspected to be the successor of ShadowPad.
The malware established communication with an external server (aar.gandhibludtric[.]com) using HTTP and a TCP-based protocol. This precise technique underscores Salt Typhoon's capability to maintain stealth in their activities.
Defense and Response
Darktrace, a cybersecurity firm, identified and managed to mitigate the intrusion before significant escalation could occur. The persistent operations of Salt Typhoon, active since 2019, have targeted over 80 countries, making telecommunications providers, energy networks, and government systems their focus.
This development signals an ongoing threat from advanced persistent threat groups exploiting edge-device vulnerabilities. Organizations need to bolster their cybersecurity measures to prevent such intrusions effectively.
