A China-nexus cyber espionage group, Salt Typhoon (Earth Estries), targeted a European telecommunications provider in early July 2025 by exploiting a Citrix NetScaler Gateway vulnerability to gain initial access. The attackers pivoted to internal systems via Citrix Virtual Delivery Agent (VDA) hosts and used SoftEther VPN to mask their origin. They deployed Snappybee (Deed RAT), a successor to ShadowPad malware, via DLL side-loading disguised within legitimate antivirus software (Norton, Bkav, IObit). The malware established covert communication with an external C2 server (`aar.gandhibludtric[.]com`). While the intrusion was detected and contained by Darktrace before escalation, the group’s tactics deep persistence, abuse of trusted tools, and data exfiltration pose severe risks. Salt Typhoon, active since 2019, has historically targeted telecoms, energy, and government systems across 80+ countries. The attack’s focus on sensitive data theft and lateral movement suggests potential compromise of customer data, proprietary networks, or state-linked communications, though no explicit data breach was confirmed in the report. The stealthy nature of the operation highlights vulnerabilities in edge devices and supply-chain trust.
Source: https://thehackernews.com/2025/10/hackers-used-snappybee-malware-and.html
TPRM report: https://www.rankiteo.com/company/etis-driving-collaboration-within-the-european-telecom-industry
"id": "eti4332343102125",
"linkid": "etis-driving-collaboration-within-the-european-telecom-industry",
"type": "Cyber Attack",
"date": "6/2019",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Europe',
'type': 'Telecommunications Organization'}],
'attack_vector': ['Exploitation of Citrix NetScaler Gateway Vulnerability',
'DLL Side-Loading',
'Living-off-the-Land (LotL) Techniques'],
'data_breach': {'data_exfiltration': 'Attempted (prevented before '
'completion)'},
'date_detected': '2025-07-01T00:00:00Z',
'description': 'A European telecommunications organization was targeted by '
'the China-nexus cyber espionage group Salt Typhoon (also '
'known as Earth Estries, FamousSparrow, GhostEmperor, and '
'UNC5807) in early July 2025. The attackers exploited a Citrix '
'NetScaler Gateway appliance to gain initial access, then '
'pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the '
"client's Machine Creation Services (MCS) subnet. They used "
'SoftEther VPN to obscure their origins and deployed the '
'Snappybee (Deed RAT) malware via DLL side-loading with '
'legitimate antivirus executables (Norton, Bkav, IObit). The '
'malware communicated with an external server '
"('aar.gandhibludtric[.]com') over HTTP and an unidentified "
'TCP-based protocol. The intrusion was detected and remediated '
'by Darktrace before further escalation.',
'impact': {'brand_reputation_impact': 'Potential (due to APT association and '
'state-sponsored attribution)',
'systems_affected': ['Citrix NetScaler Gateway',
'Citrix Virtual Delivery Agent (VDA) hosts',
'Machine Creation Services (MCS) subnet']},
'initial_access_broker': {'backdoors_established': ['Snappybee (Deed RAT) via '
'DLL side-loading'],
'entry_point': 'Citrix NetScaler Gateway appliance',
'high_value_targets': ['Citrix VDA hosts in MCS '
'subnet',
'Sensitive data '
'(exfiltration attempted)']},
'investigation_status': 'Detected and remediated before escalation',
'lessons_learned': 'Salt Typhoon demonstrates advanced stealth and '
'persistence, abusing legitimate tools (e.g., antivirus '
'software, VPNs) to evade detection. Conventional security '
'methods may fail against such tradecraft; behavioral '
'AI-driven detection (e.g., Darktrace) is critical for '
'identifying subtle APT activities like DLL side-loading '
'and lateral movement via edge devices.',
'motivation': ['Cyber Espionage',
'Sensitive Data Theft',
'Persistence in Target Networks'],
'post_incident_analysis': {'corrective_actions': ['Patch management for edge '
'devices',
'Enhanced monitoring for '
'LotL techniques',
'Restriction of '
'unauthorized VPN usage'],
'root_causes': ['Exploitation of unpatched Citrix '
'NetScaler vulnerability',
'Abuse of legitimate antivirus '
'software for DLL side-loading',
'Lateral movement via compromised '
'edge devices (VDA hosts)']},
'recommendations': ['Patch Citrix NetScaler Gateway and other edge devices '
'promptly to mitigate exploitation risks.',
'Monitor for DLL side-loading techniques, especially '
'involving legitimate antivirus executables.',
'Implement network segmentation to limit lateral movement '
'(e.g., isolate MCS subnets).',
'Deploy behavioral AI/ML-based detection to identify '
'stealthy APT activities.',
'Audit and restrict VPN usage (e.g., SoftEther) to '
'prevent adversary obfuscation.',
'Hunt for indicators of Snappybee/Deed RAT and ShadowPad '
'malware families.'],
'references': [{'source': 'Darktrace'}],
'response': {'containment_measures': ['Detection and remediation of intrusion '
'activity before escalation'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'third_party_assistance': ['Darktrace']},
'threat_actor': ['Salt Typhoon',
'Earth Estries',
'FamousSparrow',
'GhostEmperor',
'UNC5807'],
'title': 'Salt Typhoon (China-nexus APT) Targets European Telecommunications '
'Organization via Citrix NetScaler Exploit',
'type': ['Cyber Espionage',
'Advanced Persistent Threat (APT)',
'Data Exfiltration'],
'vulnerability_exploited': ['Citrix NetScaler Gateway Appliance (unspecified '
'CVE)']}