Salt Typhoon, a China-linked advanced persistent threat (APT) group active since 2019, has emerged as one of the most sophisticated cyber espionage operations targeting global critical infrastructure.
Also tracked as Earth Estries, GhostEmperor, and UNC2286, the group has conducted high-impact campaigns against telecommunications providers, energy networks, and government systems across more than 80 countries.
The threat actor leverages zero-day exploits in edge devices including Ivanti, Fortinet, and Cisco appliances to establish initial access, while employing DLL sideloading techniques to maintain stealth and evade traditional signature-based detection mechanisms.
Recent intrusions demonstrate an alarming capability to compromise lawful intercept systems and exfiltrate metadata affecting millions of users.
The group’s operations blend intelligence collection with geopolitical influence, exposing the strategic nature of state-sponsored cyber campaigns.
DarkTrace analysts identified early-stage intrusion activity in a European telecommunications organization during July 2025, observing tactics consistent with Salt Typhoon’s known procedures.
The intrusion began with exploitation of a Citrix NetScaler Gateway appliance, allowing the threat actor to pivot to Citrix Virtual Delivery Agent hosts within the organization’s Machine Creation Services subnet.
Initial access originated from infrastructure potentially associated with the SoftEther VPN service, demonstrating infrastructure obfuscation from the outset.
DLL Sideloading and Persistence Mechanisms
The technical sophistication of Salt Typhoon’s operations becomes evident through their systematic abuse of legitimate software for malicious purposes.
DarkTrace researchers observed the delivery of SNAPPYBEE backdoor, also known as Deed RAT, to multiple internal endpoints as DLL files accompanied by legitimate executable files from trusted antivirus solutions.
The threat actor specifically targeted Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter executables to facilitate DLL side-loading operations.
This technique enabled the group to execute malicious payloads under the guise of trusted security software, effectively bypassing traditional security controls.
The backdoor established command-and-control communications through LightNode VPS endpoints, utilizing both HTTP and an unidentified TCP-based protocol.
HTTP communications featured POST requests with distinctive URI patterns such as “/17ABE7F017ABE7F0”, connecting to the domain aar.gandhibludtric[.]com (38.54.63[.]75), recently linked to Salt Typhoon infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.