Salt Typhoon, the China-linked APT group that has a penchant for targeting telecommunications companies, has been spotted trying to sneak into yet another one.
The intrusion
“Darktrace observed activity in a European telecommunications organisation consistent with Salt Typhoon’s known tactics, techniques and procedures (TTPs), including dynamic-link library (DLL) sideloading and abuse of legitimate software for stealth and execution,” the British cybersecurity company shared on Monday.
Other attack elements indicating Salt Typhoon’s involvement include:
- The exploitation of a vulnerability in a Citrix NetScaler Gateway appliance for initial access (Salt Typhoon is known for exploiting publicly known vulnerabilities in network equipment)
- The use of the SNAPPYBEE (aka Deed RAT) backdoor, which is a tool shared by different Chinese APT groups
- The use of command and control (C2) infrastructure previously linked to the group and the use of non-standard and layered protocols to evade detection (the backdoor used LightNode VPS endpoints for C2, communicating over both HTTP and an unidentified TCP-based protocol)
After gaining initial access through the Citrix NetScaler Gateway appliance in July 2025, the attackers moved laterally to compromise Citrix Virtual Delivery Agent hosts in the client’s Machine Creation Services (MCS) subnet.
“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace analysts explained.
“This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of employing this technique, enabling them to execute payloads under the guise of trusted software and bypassing traditional security controls.”
Fortunately, the intrusion was spotted before the attackers managed to burrow deeper into the target telco’s network.
Thwarting Salt Typhoon
Salt Typhoon, aka Earth Estries and UNC2286, has been active for more than five years.
Its most high-profile compromises were revealed nearly a year ago, when it was discovered that they successfully breached a number of US telcos.
According to FBI and CISA officials, during these intrusions they managed to steal subscribers’ call records, intercept phone calls and text messages of governmental employees and politicians, and access wiretap systems set up for lawful communication interception.
Earlier this year, the threat actor was linked to hacks at an unnamed Canadian telecommunications provider, as well as Viasat, a California-based provider of satellite broadband services and secure networking systems.
Salt Typhoon’s activities have been linked by Western cybersecurity agencies to several China-based firms.
“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” the cybersecurity bodies said in a recent joint advisory.
“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”
Gregory Richardson, Vice President and Advisory CISO Worldwide at BlackBerry, warns that communications networks have become prime targets for cyber attackers driven by motives ranging from corporate espionage to geopolitical leverage.
While Darktrace shared more recent indicators of compromise, the agencies’ very comprehensive advisory contains:
- Indicators associated with the Salt Typhoon’s activities from August 2021 to June 2025
- Information about custom software leveraged by the group
- Threat hunting guidance, and
- Lays out mitigations and general security recommendations for defenders to keep this threat actor out of their networks and systems.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
