Salt Typhoon, a China-linked espionage group, has once again surfaced, this time in the systems of a European telecommunications provider. Darktrace spotted the signs early: a faint digital pulse of DLL sideloading, a whisper of Citrix exploitation, the careful footsteps of an adversary that knows how to stay unseen.
Salt Typhoon is no newcomer. Active since at least 2019, the group (also known as Earth Estries, GhostEmperor, and UNC2286) has spent years burrowing into critical infrastructure. From telecoms to energy grids and government systems, it has moved through more than 80 countries. The campaign’s hallmarks are precision and patience: custom malware, zero-day exploits, and an uncanny talent for turning trusted software into weapons.
This time, the attack began with a Citrix NetScaler vulnerability in early July. From there, the intruders pivoted through Citrix Virtual Delivery Agent hosts, masking their entry behind the SoftEther VPN service. It was misdirection from the start.
A Familiar Payload
Once inside, they dropped a familiar payload: the SNAPPYBEE backdoor, also known as Deed RAT. It arrived tucked neatly alongside legitimate antivirus executables (Norton, Bkav, IObit) each an unwitting accomplice in the sideloading ruse. The trick is simple but effective: use trusted software to run untrusted code.
Command and control came through LightNode VPS servers. HTTP requests disguised as Internet Explorer traffic. Obscure TCP chatter on the side. Even the C2 domain, aar.gandhibludtric[.]com, bore the fingerprints of Salt Typhoon’s recent work.
Darktrace’s Cyber AI Analyst didn’t need a signature to see the pattern. It pieced together the fragments, such as tooling, beaconing, pivoting, into a clear picture of intrusion. High-confidence detections surfaced early, halting the operation before it spread deeper.
For Darktrace, the case reinforces the fact that signature-based defenses no longer suffice. When malefactors live off the land and hide behind legitimate tools, only anomaly detection can catch the subtle drift from normal behavior.
Salt Typhoon’s strength lies in its silence. It blends. It borrows. It waits. But in this instance, its patience met precision. A timely detection broke the chain, proving again that in cyber defense, seeing what doesn’t belong is more powerful than knowing what has been seen before.
Highly Intentional, Deterministic
Nivedita Murthy, Senior Staff Consultant at Black Duck, says this scourge has demonstrated its capability to conceal itself within legitimate enterprise software to execute attacks. “These attacks appear to be highly intentional and deterministic. To counter this, security teams must proactively monitor for deviations in the behavior of legitimate software and conduct thorough investigations.”
She says that, generally, unusual behavior from legitimate software is given low priority or ignored. “However, the Salt Typhon campaign highlights the need for security teams to reassess their policies and processes. They should elevate the severity of such findings and perform checks upon discovery. Additionally, teams should be vigilant for reconnaissance efforts on their networks and software, as these may serve as precursors to future campaigns.”
By adopting a more proactive and vigilant approach, security teams can better detect and respond to threats like Salt Typhon and confidently unleash business innovation in an era of accelerating risk, Murthy adds.
Expect Stealthy Activity
Jason Soroko, Senior Fellow at Sectigo, says organizations should expect stealthy activity that blends with normal operations when facing Salt Typhoon. “Recent activity shows exploitation of Citrix NetScaler Gateway followed by movement into Citrix Virtual Delivery Agent hosts in Machine Creation Services networks.”
He says the actor favors DLL sideloading and the misuse of legitimate software to achieve execution and cover tracks, often hiding behind infrastructure that looks like SoftEther VPN traffic. “The cluster overlaps with names like Earth Estries, GhostEmperor, and UNC2286, and it is comfortable living off the land with a lot of patience. Success for defenders starts with visibility across edge appliances, VDI and broker tiers, and east west network paths.”
Soroko adds that security teams should prioritize rapid patching and hardening of NetScaler, strict access controls on VDI, and segmentation that limits lateral movement from MCS subnets.
“Hunt for unusual DLL loads by trusted binaries, unexpected child processes from service hosts, and odd parentage in processes that touch network or credential material. Monitor and challenge VPN sourced endpoints that appear transient, enforce MFA and device posture for remote access, and tighten application control to reduce sideloading risk. Collect and keep EDR and network telemetry that supports timeline building, then rehearse Citrix containment steps such as draining sessions, pausing brokers, validating golden images, and rotating credentials. Use anomaly-driven analytics to stitch together small deviations into early detection, and pair that with a written playbook for escalation and response.”
Moving Beyond Signature-Based Detection
Neil Pathare, Associate Principal Consultant at Black Duck, believes that moving beyond signature-based detection is necessary when dealing with such intrusion activity. “Security teams should always implement a zero-trust model for continued verification and organizations should continuously monitor for unusual processes and suspicious behavior on peripheral devices as well as specialized network appliances. Doing so contributes to ensuring uncompromised trust in software and allows organizations to confidently unleash business innovation in an era of accelerating risk.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.