Verticals Targeted: Telecommunications
Regions Targeted: Europe
Related Families: SNAPPYBEE (Deed RAT)
Executive Summary
Salt Typhoon, a China-linked advanced persistent threat (APT) group, has been targeting global critical infrastructure using sophisticated tactics like DLL sideloading and zero-day exploits. Recent activity targeted a European telecommunications entity.
Key Takeaways
- Salt Typhoon employed DLL sideloading via legitimate antivirus software to deliver the SNAPPYBEE backdoor, evading traditional security controls.
- The attack likely began with a compromise of a Citrix NetScaler Gateway, followed by pivoting to internal Citrix Virtual Delivery Agent hosts.
- The threat actor used LightNode VPS endpoints and non-standard protocols for command-and-control, enhancing evasion capabilities.
The Activity
Salt Typhoon, a China-linked advanced persistent threat (APT) group, continues to pose a significant risk to global critical infrastructure, with a recent intrusion detected by Darktrace in a European telecommunications organization. Active since at least 2019, this group targets telecommunications, government, and technology sectors across the United States, Europe, the Middle East, and Africa. Their operations focus on intelligence collection and geopolitical influence, leveraging advanced techniques to maintain persistence and evade detection.
The intrusion, observed in early July 2025, likely began with the compromise of a Citrix NetScaler Gateway appliance, a common entry point for Salt Typhoon. From there, the threat actor pivoted to internal Citrix Virtual Delivery Agent (VDA) hosts within the client’s Machine Creation Services subnet. Initial access was facilitated through infrastructure potentially tied to the SoftEther VPN service, indicating deliberate obfuscation to mask the attack’s origin.
A key component of the attack was the deployment of the SNAPPYBEE backdoor (also known as Deed RAT), delivered via DLL sideloading. This technique involved embedding malicious DLLs alongside legitimate executable files from trusted antivirus software. By exploiting the trust in these applications, the threat actor executed payloads covertly, bypassing traditional signature-based defenses. This method aligns with Salt Typhoon’s history of abusing legitimate tools to blend malicious activities into normal network operations.
For command-and-control (C2), the backdoor communicated with LightNode VPS endpoints using both HTTP and an unidentified TCP-based protocol. The HTTP traffic included POST requests with an Internet Explorer User-Agent header and specific URI patterns. A notable C2 host, aar.gandhibludtric[.]com (38.54.63[.]75), has been recently associated with Salt Typhoon, underscoring the group’s reliance on dynamic and layered infrastructure to avoid detection.
The intrusion highlights Salt Typhoon’s ability to exploit high-impact vulnerabilities in edge devices and maintain long-term access to sensitive environments. Their use of zero-day exploits and obfuscation techniques amplifies the challenge of detecting such threats with conventional methods. PolySwarm analysts continue to monitor for malware associated with Salt Typhoon’s activities targeting critical infrastructure entities.
Who is Salt Typhoon?
Salt Typhoon, also known as Earth Estries, GhostEmperor, FamousSparrow, and UNC2286, is a Chinese state-sponsored advanced persistent threat actor first observed in 2019. Associated with the People's Republic of China, the group conducts extensive cyber espionage campaigns, leveraging sophisticated tools and techniques to infiltrate and persist in victim environments.
Salt Typhoon initiates intrusions by exploiting known vulnerabilities in network appliances, such as Cisco routers (CVE-2019-12625, CVE-2020-3452, CVE-2023-20198), Ivanti Connect Secure (CVE-2023-46805), Citrix NetScaler Gateway (CVE-2023-3519), and Fortinet FortiOS (CVE-2024-21762). Once inside, actors deploy custom malware, including the Demodex kernel-mode rootkit for stealthy remote control, SnappyBee (also known as Deed RAT) for modular backdoor functionality, SparrowDoor loader for payload delivery, and the GhostSpider backdoor to facilitate command execution, data exfiltration, and lateral movement. They employ living-off-the-land techniques, abusing PowerShell and Windows Management Instrumentation Command-line (WMIC) for reconnaissance and credential theft, while using DLL sideloading via legitimate antivirus software to evade detection. To maintain persistence, the group modifies access-control lists to whitelist command-and-control IPs, exposes services like SSH and RDP on non-standard ports, and adds unauthorized keys to existing services.
The group primarily targets the telecommunications sector for wiretap system access and surveillance, alongside government agencies, military networks, and critical infrastructure like energy and transportation. High-profile victims include at least nine U.S. telecom providers, a Canadian telecom firm, and a U.S. state's Army National Guard, with operations spanning over 80 countries including Southeast Asia, Europe, and Africa.
Salt Typhoon operates under the direction of China's Ministry of State Security (MSS), its primary civilian intelligence agency, with support from PRC-based cybersecurity firms, which provide operational infrastructure and expertise. This affiliation underscores the group's role in Beijing's broader strategy for global intelligence dominance and potential disruption capabilities.
IOCs
PolySwarm has a sample associated with this activity.
fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5
You can use the following CLI command to search for all Salt Typhoon samples in our portal:
$ polyswarm link list -t SaltTyphoon
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
