Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Suspected Salt Typhoon Spies Lurking in European Telco

Pending submission by upstart at 2025-10-22 07:14:00
News

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

for jan

Suspected Salt Typhoon spies lurking in European telco [theregister.com]:

China's Salt Typhoon gang appears to have successfully attacked a European telecommunications firm, according to security researchers at Darktrace.

Salt Typhoon is an espionage gang linked to the People's Republic of China that hacked America's major telecommunications firms [theregister.com] and stole metadata [theregister.com] and other information belonging to "nearly every American [theregister.com]," according to a top FBI cyber official who spoke with The Register about the intrusions.

The crew’s actions against US telcos came to light last year [theregister.com]; however, it has been active since at least 2019 using tactics including exploiting edge devices, planting backdoors for stealthy, long-term network access, and stealing sensitive data across more than 80 countries.

Today's Darktrace report is the latest indication [theregister.com] that Salt Typhoon is still actively targeting [theregister.com] high-value networks and using stealthy techniques to avoid being caught.

Citrix NetScaler Gateway for the initial access

In the European telco intrusion [darktrace.com] described by Darktrace, the suspected spies exploited a buggy Citrix NetScaler Gateway appliance in the first week of July 2025 to gain access to the telecom's network, according to the AI-powered security shop's research team.

While Darktrace doesn't say which flaw(s) the suspected Chinese snoops abused to break in, Citrix had a busy summer patching security holes in its NetScaler Gateway products that had already been found and exploited by attackers.

”We didn't confirm which one," Nathaniel Jones, field CISO and VP of security and AI strategy at Darktrace, told The Register. "Given the timing, defenders were concurrently patching recent NetScaler flaws (e.g., CVE-2025-5349, CVE-2025-5777 in June)."

In June, Citrix plugged CVE-2025-6543 [theregister.com], a critical memory overflow flaw later reported as exploited in the wild, along with CVE-2025-5777, dubbed CitrixBleed 2 [theregister.com], which was quickly added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

Then in August, Citrix patched these three [theregister.com]: CVE-2025-7775 (dubbed CitrixBleed 3 by some [heise.de]), CVE-2025-7776, and CVE-2025-8424. Citrix rushed out patches for these CVEs in August, but miscreants spotted the vulnerabilities first.

At the time, security maven Kevin Beaumont said CVE-2025-7775 had been exploited as a pre-auth RCE to plant web shells on unpatched boxes.

CISA quickly added the bug to the KEV catalog [cisa.gov], and the Dutch National Cyber Security Centre warned [advisories.ncsc.nl] that mass exploitation was likely.

'Infrastructure obfuscation from the outset'

After compromising the Citrix NetScaler appliance, the Salt Typhoon miscreants pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client's Machine Creation Services (MCS) subnet component. "Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset," Darktrace’s threat hunters wrote in a Monday blog.

Next, the suspected spies deployed a backdoor to multiple Citrix VDA hosts. "The actor progressed to backdooring multiple Citrix VDA hosts with SNAPPYBEE (aka Deed RAT) and establishing C2 when Darktrace flagged it," Jones told us. "We feel confident it was remediated before the attack escalated. Thus, no dwell time."

Trend Micro researchers previously linked this modular backdoor [trendmicro.com] to Salt Typhoon. Additionally, Darktrace says the intruders used DLL sideloading [trendmicro.com] – also a favorite Salt Typhoon technique – to deliver the backdoor to these internal endpoints.

DLL sideloading is a stealthy way to execute malware onto a victim's machine and it involves tricking legitimate applications into loading a malicious Dynamic Link Library (DLL) file and then executing the payload. In this case, the attackers loaded the DLL alongside legitimate executable files for antivirus software, including Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter, to help evade detection and execute the backdoor under the guise of trusted antivirus tools.

Plus, the backdoor used LightNode VPS endpoints for C2, communicating over both HTTP and an unidentified TCP-based protocol, which is another technique Salt Typhoon uses to evade detection. Darktrace spotted the compromised endpoints pinging a particular C2 host, aar.gandhibludtric[.]com (38.54.63[.]75), which is one of the dozens of domains that threat intelligence firm Silent Push last month linked to Salt Typhoon [silentpush.com].

"Based on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate confidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA GhostEmperor/UNC2286)," the researchers wrote.

They also note that the vendor's security platform identified and stopped the intrusion "before escalating beyond these early stages of the attack." ®

Get ourTech Resources [theregister.com]ShareMore about

  • China
  • Cybercrime
  • Darktrace

More like these×More about

  • China
  • Cybercrime
  • Darktrace
  • Security

Narrower topics

  • 2FA
  • Advanced persistent threat
  • Application Delivery Controller
  • Authentication
  • BEC
  • Black Hat
  • BSides
  • Bug Bounty
  • Center for Internet Security
  • CHERI
  • China Mobile
  • China telecom
  • China Unicom
  • CISO
  • Common Vulnerability Scoring System
  • Cybersecurity
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity Information Sharing Act
  • Cyberspace Administration of China
  • Data Breach
  • Data Protection
  • Data Theft
  • DDoS
  • DEF CON
  • Digital certificate
  • Encryption
  • End Point Protection
  • Exploit
  • Firewall
  • Google Project Zero
  • Great Firewall
  • Hacker
  • Hacking
  • Hacktivism
  • Hong Kong
  • Identity Theft
  • Incident response
  • Information Technology and the People's Republic of China
  • Infosec
  • Infrastructure Security
  • JD.com
  • Kenna Security
  • NCSAM
  • NCSC
  • Palo Alto Networks
  • Password
  • Personally Identifiable Information
  • Phishing
  • Quantum key distribution
  • Ransomware
  • Remote Access Trojan
  • REvil
  • RSA Conference
  • Semiconductor Manufacturing International Corporation
  • Shenzhen
  • Spamming
  • Spyware
  • Surveillance
  • TLS
  • Trojan
  • Trusted Platform Module
  • Uyghur Muslims
  • Vulnerability
  • Wannacry
  • Zero trust

Broader topics

  • APAC

More about ShareMore about

  • China
  • Cybercrime
  • Darktrace

More like these×More about

  • China
  • Cybercrime
  • Darktrace
  • Security

Narrower topics

  • 2FA
  • Advanced persistent threat
  • Application Delivery Controller
  • Authentication
  • BEC
  • Black Hat
  • BSides
  • Bug Bounty
  • Center for Internet Security
  • CHERI
  • China Mobile
  • China telecom
  • China Unicom
  • CISO
  • Common Vulnerability Scoring System
  • Cybersecurity
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity Information Sharing Act
  • Cyberspace Administration of China
  • Data Breach
  • Data Protection
  • Data Theft
  • DDoS
  • DEF CON
  • Digital certificate
  • Encryption
  • End Point Protection
  • Exploit
  • Firewall
  • Google Project Zero
  • Great Firewall
  • Hacker
  • Hacking
  • Hacktivism
  • Hong Kong
  • Identity Theft
  • Incident response
  • Information Technology and the People's Republic of China
  • Infosec
  • Infrastructure Security
  • JD.com
  • Kenna Security
  • NCSAM
  • NCSC
  • Palo Alto Networks
  • Password
  • Personally Identifiable Information
  • Phishing
  • Quantum key distribution
  • Ransomware
  • Remote Access Trojan
  • REvil
  • RSA Conference
  • Semiconductor Manufacturing International Corporation
  • Shenzhen
  • Spamming
  • Spyware
  • Surveillance
  • TLS
  • Trojan
  • Trusted Platform Module
  • Uyghur Muslims
  • Vulnerability
  • Wannacry
  • Zero trust

Broader topics

  • APAC

TIP US OFF

Send us news [theregister.com]

Original Submission