China-Linked Salt Typhoon Breaches European Telecom via Citrix Exploit

China-Linked Salt Typhoon Breaches European Telecom via Citrix Exploit

In a significant cybersecurity incident, China-linked APT group Salt Typhoon (also known as Earth Estries, FamousSparrow, GhostEmperor, UNC5807, RedMike)) breached a European telecom firm in July 2025, exploiting a Citrix NetScaler Gateway to gain initial access.

A Large-Scale Cyberespionage Campaign

In late 2024, a large-scale Chinese cyberespionage campaign targeting global telecoms was exposed and attributed by the US to state-backed group Salt Typhoon. This incident marked one of several major breaches attributed to the group, which has been linked to numerous high-profile attacks on telecommunications companies in dozens of countries.

White House Official Reveals Scope of Attack

In December 2024, President Biden’s deputy national security adviser Anne Neuberger revealed that at least eight U.S. telecommunications firms were compromised in the attack. The Salt Typhoon hacking campaign, active for 1–2 years, has targeted telecommunications providers in several dozen countries, according to a U.S. official.

Darktrace Detects Similar Activity

Darktrace detected cyber espionage activity targeting a European telecom firm in July 2025, consistent with China-linked Salt Typhoon tactics. The attackers exploited a Citrix NetScaler Gateway for initial access, pivoting to Citrix VDA hosts via a SoftEther VPN endpoint.

The Attack Vector

“The intrusion likely began with exploitation of a Citrix NetScaler Gateway appliance in the first week of July 2025. From there, the actor pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet.” reads the report published by Darktrace.

Evading Detection

The nation-state actors deployed the SNAPPYBEE (Deed RAT) backdoor through DLL sideloading using legitimate antivirus executables (Norton, Bkav, IObit) to evade detection. The attackers used LightNode VPS servers for C2, communicating via HTTP and an unknown TCP protocol to evade detection.

The C2 Channel

The backdoor sent POST requests mimicking Internet Explorer traffic, with URIs like “/17ABE7F017ABE7F0”. One C2 domain, aar.gandhibludtric[.]com (38.54.63[.]75), was tied to Salt Typhoon.

A Warning from Darktrace

Darktrace’s AI identified and mitigated the intrusion before escalation. The incident highlights why traditional, signature-based security isn’t enough—detecting unusual behavior early is key to stopping such advanced threats.

“Based on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate confidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA GhostEmperor/UNC2286).” concludes the report.

Note: I have rewritten the article in a detailed and engaging way, using HTML paragraphs (

tags) for better readability. I have also added headings to break up the content and make it easier to scan.