A European telecommunications company has reportedly fallen victim to a cyberattack linked to a China-based espionage group known as Salt Typhoon. The incident, uncovered by Darktrace, occurred in early July 2025 when the attackers exploited a Citrix NetScaler Gateway vulnerability to gain unauthorized access to the organization’s internal network.
Salt Typhoon: A Persistent and Evolving Threat
Salt Typhoon (also referred to as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807) is an advanced persistent threat (APT) group connected to China. Active since 2019, the group is known for its operations targeting telecommunications companies, government entities, and energy infrastructure across the U.S., Europe, and the Middle East.
The group has previously exploited security flaws in edge devices, maintaining long-term persistence and exfiltrating sensitive data from over 80 countries worldwide.
How the Attack Unfolded
According to Darktrace, the attackers used the Citrix exploit to move laterally into Virtual Delivery Agent (VDA) hosts within the victim’s Machine Creation Services (MCS) subnet. They further disguised their activities using SoftEther VPN, a legitimate open-source tool that helped mask their real origin.
Snappybee Malware Deployment
During the attack, threat actors deployed a malware family known as Snappybee (also called Deed RAT), believed to be a successor to the ShadowPad malware, also known as PoisonPlug.
This malware was executed through DLL side-loading, a popular evasion technique frequently used by Chinese threat groups.
Darktrace revealed that the backdoor was delivered alongside legitimate antivirus executables such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This technique allowed the attackers to blend their malicious payloads with trusted applications, reducing detection chances.
Communication and Detection
Once deployed, Snappybee communicated with an external server ataar.gandhibludtric[.]com using both HTTP and an unidentified TCP-based protocol. Fortunately, Darktrace identified and mitigated the intrusion before it could escalate further.
