A sophisticated cyberattack, attributed to the China-nexus threat actor Salt Typhoon, has successfully breached a European telecommunications network. The attackers leveraged a critical vulnerability in Citrix NetScaler Gateway to gain initial access, subsequently deploying the Snappybee malware to maintain persistence and exfiltrate data. This incident highlights the persistent threat posed by advanced persistent threats (APTs) and the importance of timely security patching.

Key Takeaways

• A European telecom company was targeted by Salt Typhoon, a China-aligned APT group.

• The attackers exploited a vulnerability in Citrix NetScaler Gateway for initial access.

• Snappybee malware was deployed using DLL side-loading techniques.

• The breach was detected and remediated by Darktrace before significant escalation.

The Attack Vector

In the first week of July 2025, threat actors identified as Salt Typhoon initiated an intrusion against an unnamed European telecommunications organization. The initial point of entry was an exploited vulnerability within a Citrix NetScaler Gateway appliance. This allowed the attackers to establish a foothold within the network, from which they pivoted to Citrix Virtual Delivery Agent (VDA) hosts.

Salt Typhoon's Modus Operandi

Salt Typhoon, also known by aliases such as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is an advanced persistent threat actor with suspected ties to China. Active since at least 2019, the group has a history of targeting critical infrastructure, including telecommunications, energy, and government systems across more than 80 countries. Their typical strategy involves exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive information.

Malware and Evasion Techniques

During the breach of the European telecom, Salt Typhoon deployed the Snappybee malware, also referred to as Deed RAT. This backdoor malware is believed to be a successor to the ShadowPad malware, previously used by the group. The attackers employed a technique known as DLL side-loading, embedding the malicious DLL alongside legitimate executable files for antivirus software like Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This method allowed the malware to execute under the guise of trusted software, evading conventional detection methods. Additionally, the attackers utilized SoftEther VPN to obscure their true origins and communicate with command-and-control (C2) servers.

Detection and Remediation

Security vendor Darktrace observed and identified the intrusion activity. While the attackers successfully gained access and deployed malware, Darktrace's systems detected and remediated the threat before it could escalate further. The company noted that Salt Typhoon continues to challenge defenders with its stealth, persistence, and adept use of legitimate tools and infrastructure, making detection difficult with conventional signature-based methods alone.

Broader Implications

This incident underscores the persistent threat posed by sophisticated APT groups like Salt Typhoon. The exploitation of vulnerabilities in widely used network appliances like Citrix NetScaler highlights the critical need for organizations to maintain robust patch management practices and implement layered security defenses. The group's ability to adapt and employ advanced evasion techniques necessitates a proactive approach to cybersecurity, focusing on anomaly detection and behavioral analysis.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network, The Hacker News.

• Salt Typhoon caught hacking a European Telco, says Darktrace, Computing UK.

• Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack, Infosecurity Magazine.