Introduction
A sophisticated cyber-espionage campaign has targeted a European telecommunications organization, leveraging a combination of Snappybee malware and a Citrix NetScaler vulnerability. The operation, attributed to the China-linked threat actor Salt Typhoon (also tracked as Earth Estries, GhostEmperor, FamousSparrow, and UNC5807), underscores the group’s persistent exploitation of edge devices and stealthy infiltration tactics.
Background on Salt Typhoon
Active since at least 2019, Salt Typhoon has been associated with large-scale intrusions across over 80 countries, targeting sectors such as telecommunications, energy, and government systems. The group is notorious for exploiting publicly exposed infrastructure and maintaining deep persistence through sophisticated malware frameworks.
Incident Overview
According to cybersecurity firm Darktrace, the intrusion occurred in early July 2025, when attackers exploited a Citrix NetScaler Gateway appliance to gain initial access into the telecom network. Once inside, they pivoted laterally to Citrix Virtual Delivery Agent (VDA) hosts within the client’s Machine Creation Services (MCS) subnet. To mask their activity, the attackers used SoftEther VPN, effectively concealing their origin and network movements.
Technical Details: Snappybee Malware Deployment
The operation’s hallmark was the deployment of Snappybee (also known as Deed RAT), believed to be a successor to the infamous ShadowPad (PoisonPlug) malware family. The payload was delivered via DLL side-loading, a stealthy technique using legitimate executables to load malicious libraries.
The malware was embedded alongside antivirus executables from vendors such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter, taking advantage of trusted processes to evade detection.
Once executed, Snappybee established communication with an external command-and-control (C2) server at aar.gandhibludtric[.]com using both HTTP and a proprietary TCP protocol. Fortunately, Darktrace’s AI-driven monitoring identified and contained the intrusion before significant data exfiltration occurred.
Impact and Threat Assessment
While the immediate attack was mitigated, the incident reflects Salt Typhoon’s continued innovation in using legitimate infrastructure and software to maintain persistence and evade conventional security tools. Their focus on telecom networks signals a broader strategy of intelligence collection and potential disruption of critical communication systems.
Expert Commentary
“Salt Typhoon’s latest activity reaffirms the growing sophistication of Chinese state-aligned espionage operations,” said a Darktrace spokesperson. “Their evolving tradecraft, particularly in leveraging legitimate security software for malware execution, makes detection through traditional means increasingly difficult.”
Outlook
Given Salt Typhoon’s adaptability and the widespread use of Citrix technologies, similar exploitation attempts are expected in the near term. Organizations—especially those in telecom, energy, and government sectors—are urged to:
- Apply Citrix security patches immediately.
- Monitor for DLL side-loading behavior.
- Employ AI-driven anomaly detection to identify stealthy intrusions.
