China’s Salt Typhoon Hackers Target European Telecoms
▼ Summary
– Salt Typhoon, a China-linked APT group, targeted a European telecommunications company using known tactics like DLL sideloading and exploiting a Citrix NetScaler Gateway vulnerability for initial access.
– The attackers used the SNAPPYBEE backdoor and LightNode VPS endpoints for command and control, employing non-standard protocols to evade detection.
– After gaining access in July 2025, they moved laterally to compromise Citrix Virtual Delivery Agent hosts and delivered the backdoor via legitimate antivirus software using DLL side-loading.
– Salt Typhoon has a history of high-profile breaches, including stealing call records and intercepting communications at US telcos, and is linked to China-based firms supporting intelligence services.
– Western cybersecurity agencies have issued advisories with indicators of compromise and mitigation strategies to help defenders protect against this threat actor.
A sophisticated cyber espionage campaign linked to the China-aligned threat actor known as Salt Typhoon has been actively targeting European telecommunications providers, employing advanced techniques to infiltrate critical network infrastructure. Security researchers at Darktrace recently documented an intrusion attempt against a major European telecom organization, identifying attack patterns consistent with this group’s established methods. The incident highlights a persistent effort to compromise telecommunications networks for intelligence gathering and surveillance purposes.
The attackers gained initial entry by exploiting a known vulnerability in a Citrix NetScaler Gateway appliance. Once inside, they moved laterally across the network, specifically targeting Citrix Virtual Delivery Agent hosts within the client’s Machine Creation Services subnet. This strategic movement allowed them to position themselves deeper within the operational environment.
A key element of the attack involved the deployment of the SNAPPYBEE backdoor, also referred to as Deed RAT, a remote access tool frequently used by multiple Chinese advanced persistent threat (APT) groups. To avoid raising alarms, the malicious payload was disguised as a dynamic-link library (DLL) and placed alongside legitimate executable files for well-known antivirus programs, including Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This technique, known as DLL sideloading, allows attackers to run their malicious code under the cover of trusted software, effectively bypassing many conventional security defenses.
Command and control communications were carefully concealed using non-standard, layered protocols. The backdoor connected to its operators via LightNode VPS endpoints, utilizing both HTTP and an unidentified TCP-based protocol to blend in with normal network traffic and evade detection. Fortunately, security teams identified the intrusion before the attackers could achieve their ultimate objectives within the telecom’s network.
Also identified as Earth Estries and UNC2286, Salt Typhoon has been operational for over five years. The group gained significant notoriety last year following revelations of successful breaches at several US telecommunications companies. According to analyses from the FBI and CISA, during those intrusions, the hackers managed to steal subscriber call records, intercept phone calls and text messages belonging to government employees and politicians, and even gain access to systems used for lawful wiretapping.
Earlier this year, the same threat actor was connected to cyberattacks on an unnamed Canadian telecommunications provider and Viasat, a US-based satellite communications and secure networking company. Western cybersecurity agencies have attributed Salt Typhoon’s activities to several companies based in China, noting that these entities provide cyber-related products and services to China’s intelligence services, including units within the People’s Liberation Army and the Ministry of State Security.
The data harvested from these telecommunications and internet service provider intrusions, along with attacks on the transportation and lodging sectors, provides Chinese intelligence services with a powerful capability: the ability to identify, track, and monitor the global communications and movements of their targets.
Gregory Richardson, Vice President and Advisory CISO Worldwide at BlackBerry, emphasizes that communication networks have become high-value targets for cyber attackers. The motivations behind these campaigns are diverse, ranging from corporate espionage to gaining strategic geopolitical advantages.
In response to the ongoing threat, cybersecurity agencies have released a comprehensive advisory containing detailed indicators of compromise associated with Salt Typhoon’s activities from August 2021 through June 2025. This advisory also includes information on the group’s custom software, practical threat hunting guidance, and a list of recommended mitigations and security measures to help defenders protect their networks and systems from this persistent adversary.
(Source: HelpNet Security)
