Suspected Salt Typhoon snoops lurking in European telco’s network

Steven

Suspected Salt Typhoon snoops lurking in European telco’s network

Summary

Security researchers at Darktrace say a suspected Salt Typhoon espionage crew gained initial access to a European telecommunications firm’s network in early July 2025 by exploiting a vulnerable Citrix NetScaler Gateway appliance. The intruders pivoted into Citrix VDA hosts, used DLL sideloading alongside legitimate AV executables to deploy the SNAPPYBEE/Deed RAT backdoor, and established C2 via LightNode VPS endpoints (including aar.gandhibludtric[.]com / 38.54.63[.]75). Darktrace assessed the activity as consistent with Salt Typhoon/Earth Estries (aka GhostEmperor/UNC2286) and says its platform prevented escalation by stopping the intrusion in early stages.

Key Points

  1. Initial access: attackers abused a buggy Citrix NetScaler Gateway appliance in July 2025 (timing aligns with multiple NetScaler CVE patches released over summer 2025).
  2. Pivot and persistence: attackers moved to Citrix Virtual Delivery Agent (VDA) hosts within the MCS subnet and backdoored several hosts.
  3. Malware and techniques: deployed SNAPPYBEE (Deed RAT) and used DLL sideloading alongside legitimate antivirus executables to evade detection.
  4. Command and control: used LightNode VPS endpoints and at least one identified C2 domain aar.gandhibludtric[.]com (38.54.63[.]75), linked by others to Salt Typhoon infrastructure.
  5. Attribution and history: Darktrace assesses with moderate confidence the activity matches Salt Typhoon (Earth Estries), a China-linked espionage group active since at least 2019 and previously implicated in US telco intrusions.
  6. Outcome: Darktrace’s platform detected and stopped the activity before it escalated; defenders likely remediated affected systems with no confirmed extended dwell time.

Context and relevance

Salt Typhoon is a long-running espionage actor that has repeatedly targeted telecommunications providers and infrastructure globally. The attack highlights ongoing risk from unpatched appliance vulnerabilities — notably Citrix NetScaler — and familiar attacker tradecraft such as DLL sideloading, antivirus masquerading, and distributed C2 infrastructure. For organisations that operate or depend on telco networks, the incident underscores the importance of rapid patching, network segmentation (especially for management planes like NetScaler/VDA), vigilant EDR/telemetry, and threat-hunting tuned to unusual outbound connections to obscure VPS/C2 hosts.

Author style

Punchy: this isn’t a one-off nuisance — Salt Typhoon keeps finding ways into high-value networks. If you’re responsible for network appliances or telco infrastructure, the technical details matter; read them and act.

Why should I read this?

Want a quick heads-up without wading through the full report? This story tells you how miscreants slipped in via Citrix kit, the tricks they used to hide, and that defenders caught it early — which means there are concrete patches and detection lessons you can use right now.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/10/20/salt_typhoon_european_telco/