A European telecommunications organisation was targeted in the first week of July 2025 by a threat actor aligned with the China-linked group tracked as Salt Typhoon, security firm Darktrace reported. The attackers gained initial access by exploiting a Citrix NetScaler Gateway appliance.
The actor, tracked as Salt Typhoon and also known as Earth Estries, FamousSparrow, GhostEmperor and UNC5807, has been active since 2019 and has previously targeted telecommunications providers, energy networks and government systems, according to security reporting. The group is known for exploiting flaws in edge devices, maintaining long-term persistence and exfiltrating data from victims in more than 80 countries.
After the initial compromise the attackers moved laterally to Citrix Virtual Delivery Agent hosts in the victim’s Machine Creation Services subnet and used SoftEther VPN to obscure their origins, Darktrace said.
Among the tools deployed was Snappybee, also called Deed RAT, which is regarded as a successor to ShadowPad. Darktrace said the backdoor was delivered by DLL side‑loading alongside legitimate antivirus executables such as Norton Antivirus, Bkav and IObit Malware Fighter, enabling the malicious payloads to execute.
The malware was configured to contact an external server identified as aar.gandhibludtric[.]com over HTTP and an unspecified TCP‑based protocol. Darktrace said the activity was detected and remediated before it could escalate further and warned that the actor’s reuse of trusted software and infrastructure makes detection difficult.
The targeted organisation was not named in the reporting and details about any data loss or the full scope of impact were not provided.