It's Typhoon season...year round:
China's Salt Typhoon gang appears to have successfully attacked a European telecommunications firm, according to security researchers at Darktrace.
Salt Typhoon is an espionage gang linked to the People's Republic of China that hacked America's major telecommunications firms and stole metadata and other information belonging to "nearly every American," according to a top FBI cyber official who spoke with The Register about the intrusions.
The crew's actions against US telcos came to light last year; however, it has been active since at least 2019 using tactics including exploiting edge devices, planting backdoors for stealthy, long-term network access, and stealing sensitive data across more than 80 countries.
Today's Darktrace report is the latest indication that Salt Typhoon is still actively targeting high-value networks and using stealthy techniques to avoid being caught.
In the European telco intrusion described by Darktrace, the suspected spies exploited a buggy Citrix NetScaler Gateway appliance in the first week of July 2025 to gain access to the telecom's network, according to the AI-powered security shop's research team.
While Darktrace doesn't say which flaw(s) the suspected Chinese snoops abused to break in, Citrix had a busy summer patching security holes in its NetScaler Gateway products that had already been found and exploited by attackers.
"We didn't confirm which one," Nathaniel Jones, field CISO and VP of security and AI strategy at Darktrace, told The Register. "Given the timing, defenders were concurrently patching recent NetScaler flaws (e.g., CVE-2025-5349, CVE-2025-5777 in June)."
[...] After compromising the Citrix NetScaler appliance, the Salt Typhoon miscreants pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client's Machine Creation Services (MCS) subnet component. "Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset," Darktrace's threat hunters wrote in a Monday blog.
Next, the suspected spies deployed a backdoor to multiple Citrix VDA hosts. "The actor progressed to backdooring multiple Citrix VDA hosts with SNAPPYBEE (aka Deed RAT) and establishing C2 when Darktrace flagged it," Jones told us. "We feel confident it was remediated before the attack escalated. Thus, no dwell time."
Trend Micro researchers previously linked this modular backdoor to Salt Typhoon. Additionally, Darktrace says the intruders used DLL sideloading – also a favorite Salt Typhoon technique – to deliver the backdoor to these internal endpoints.
[...] "Based on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate confidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA GhostEmperor/UNC2286)," the researchers wrote.
They also note that the vendor's security platform identified and stopped the intrusion "before escalating beyond these early stages of the attack."
