Sophisticated Cyber Espionage Campaign Uncovered
Security researchers have identified a widespread cyber intrusion campaign linked to the China-based threat actor Salt Typhoon, according to reports from cybersecurity firm Darktrace. The operation involves exploitation of a Citrix NetScaler Gateway vulnerability to gain initial access to target networks, with victims spanning telecommunications, energy and government sectors across more than 80 countries.
Analysts suggest the group, also known as Earth Estries, GhostEmperor and UNC2286, has been active since at least 2019 and typically focuses on long-term persistence within victim networks. The recent campaign demonstrates the group’s continued evolution in stealth techniques and their targeting of critical infrastructure globally.
Technical Execution and Evasion Methods
The intrusion began in July 2025 when attackers compromised a Citrix NetScaler Gateway appliance, according to the technical analysis. From this initial foothold, the threat actors moved laterally to Citrix Virtual Delivery Agent hosts within the organization’s internal network. Sources indicate the attackers used infrastructure linked to the SoftEther VPN service to obscure their origin points.
The report states the group deployed a sophisticated backdoor identified as SNAPPYBEE (also known as Deed RAT) through DLL sideloading techniques. This involved embedding malicious files alongside legitimate executables from antivirus products including Norton, Bkav and IObit. This approach enabled execution of malicious code under the guise of trusted security software, significantly reducing detection likelihood.
Command and Control Infrastructure
The deployed backdoor established communication with command-and-control servers using both HTTP and unidentified TCP-based protocols, according to the analysis. HTTP traffic included Internet Explorer User-Agent headers and specific URI patterns such as “/17ABE7F017ABE7F0.” Researchers identified one C2 domain, aar.gandhibludtric[.]com, that was previously associated with Salt Typhoon infrastructure.
Security analysts suggest the group’s layered communication methods and abuse of legitimate software reflect their continued focus on operational security and persistence. The techniques align with what Darktrace researchers describe as “increasingly blending into normal operations,” making behavioral anomaly detection essential for identification.
Broader Threat Landscape Implications
This incident occurs amid increasing concerns about telecommunications security and critical infrastructure protection globally. The campaign demonstrates how threat actors are evolving beyond traditional detection methods, with Darktrace warning that “detecting behavioral anomalies becomes essential for identifying subtle deviations and correlating disparate signals.”
The security firm emphasized the importance of proactive defense strategies where anomaly-based detections, not just signature matching, play a critical role in surfacing early-stage intrusion activity. This approach becomes particularly important as organizations navigate complex cloud infrastructure environments and respond to major service disruptions that can complicate security monitoring.
Connections to Previous Operations
Based on overlaps in tactics, infrastructure and malware, researchers assessed this activity as consistent with Salt Typhoon’s previous operations. The group has historically exploited vulnerabilities in technologies from multiple vendors including Citrix, Fortinet and Cisco, targeting high-value sectors across multiple continents.
While the United States has been a frequent target, recent activity shows expanded operations across Europe, the Middle East and Africa. The group’s custom malware and advanced evasion techniques enable them to collect sensitive data and, in some cases, disrupt essential services, according to historical analysis of their operations.
Security professionals monitoring related innovations in cybersecurity emphasize that understanding dynamic-link library manipulation and other advanced techniques is crucial for effective defense. For detailed technical analysis of this specific intrusion, readers can reference Darktrace’s comprehensive report on the Salt Typhoon campaign and its implications for organizational security postures facing evolving industry developments.
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
