In July 2025, a European telecommunications company fell victim to a sophisticated cyber attack orchestrated by Salt Typhoon, a cyber espionage group with alleged ties to China. The attackers exploited a vulnerability in the Citrix NetScaler Gateway appliance to gain initial access to the organization’s network.
Salt Typhoon: A Persistent Threat
Active since 2019, Salt Typhoon—also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807—has targeted telecommunications providers, energy networks, and government systems across more than 80 countries, including the United States. The group is notorious for exploiting security flaws in edge devices, maintaining deep persistence within networks, and exfiltrating sensitive data.
Attack Methodology
After breaching the Citrix NetScaler Gateway, the attackers moved laterally to Citrix Virtual Delivery Agent (VDA) hosts within the organization’s Machine Creation Services (MCS) subnet. To mask their activities, they utilized SoftEther VPN, a tool that enables the creation of secure, encrypted connections, thereby obscuring their true origins.
Deployment of Snappybee Malware
A key component of this attack was the deployment of Snappybee, also known as Deed RAT. This malware is believed to be a successor to ShadowPad (PoisonPlug), which has been used in previous Salt Typhoon operations. The attackers employed a technique called DLL side-loading to execute Snappybee. This method involves placing a malicious DLL file alongside legitimate executable files, such as those from antivirus software like Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. When these legitimate programs are executed, they inadvertently load the malicious DLL, allowing the malware to run undetected.
Communication and Command-and-Control
Once active, Snappybee established communication with an external command-and-control server at aar.gandhibludtric[.]com using HTTP and an unidentified TCP-based protocol. This connection enabled the attackers to remotely control the malware, execute commands, and exfiltrate data from the compromised network.
Detection and Mitigation
The intrusion was identified and mitigated by Darktrace, a cybersecurity firm specializing in AI-driven threat detection. Their systems detected the anomalous activity before the attackers could escalate their operations further. Darktrace emphasized the challenges posed by Salt Typhoon’s tactics, noting the group’s ability to repurpose trusted software and infrastructure, making detection difficult using conventional methods.
Broader Implications
This incident underscores the evolving nature of cyber threats and the importance of robust cybersecurity measures. Organizations must remain vigilant, regularly update and patch their systems, and employ advanced threat detection mechanisms to defend against sophisticated adversaries like Salt Typhoon.
