Cybersecurity firm Darktrace has uncovered a campaign targeting a European telecommunications provider, which it linked to the China-affiliated espionage group known as Salt Typhoon. The attack was first detected in early July and is believed to have started with the exploitation of a Citrix NetScaler Gateway appliance.
The attackers reportedly leveraged advanced tactics consistent with Salt Typhoon’s known methods, including DLL sideloading, zero-day exploits, and abuse of legitimate software, to execute malicious code while evading detection. Early activity was traced to a SoftEther VPN endpoint.
Following the initial breach, the attackers pivoted to Citrix Virtual Delivery Agent (VDA) hosts within the organization’s Machine Creation Services (MCS) subnet. The attackers deployed a backdoor known as SNAPPYBEE (also tracked as Deed RAT), delivered as a malicious DLL alongside legitimate antivirus executables from Norton, Bkav, and IObit.
The backdoor communicated with its command-and-control (C2) infrastructure via LightNode VPS endpoints, using both standard HTTP channels and an unidentified TCP-based protocol. The HTTP communications included POST requests with an Internet Explorer User-Agent header and Target URI patterns previously linked to Salt Typhoon.
Salt Typhoon (aka Earth Estries, GhostEmperor, and UNC2286) is believed to operate on behalf of the People’s Republic of China. Active since at least 2019, the group has carried out espionage campaigns across more than 80 countries, targeting critical infrastructure, government systems, and telecom networks. The adversary’s campaigns often involve the exploitation of edge devices and high-impact vulnerabilities in widely used products from vendors like Ivanti, Fortinet, and Cisco.
The group was previously known to focus on US-based targets, but the latest attack shows that the threat actor has broadened its reach to Europe and the EMEA region.
Unrelated to this case, the US CISA has warned that malicious actors are now actively exploiting a high-severity Windows SMB privilege escalation vulnerability (CVE-2025-33073) that can allow to gain SYSTEM privileges on unpatched systems. The security flaw impacts all Windows Server and Windows 10 versions, as well as Windows 11 systems up to Windows 11 24H2.
The agency has also added an Oracle E-Business Suite SSRF flaw (CVE-2025-61884) to its list of actively exploited security vulnerabilities. The said flaw resides in Oracle Configurator Runtime UI and can result in the leakage of data.