China-Linked Salt Typhoon breaches European Telecom via Citrix exploit

The intrusion likely began with exploitation of a Citrix NetScaler Gateway appliance in the first week of July 2025. From there, the actor pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet. Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset.

The nation-state actors deployed the SNAPPYBEE (Deed RAT) backdoor through DLL sideloading using legitimate antivirus executables (Norton, Bkav, IObit) to evade detection.

The attackers used LightNode VPS servers for C2, communicating via HTTP and an unknown TCP protocol to evade detection. The backdoor sent POST requests mimicking Internet Explorer traffic, with URIs like “/17ABE7F017ABE7F0”. One C2 domain, aar.gandhibludtric.com (38.54.63[.]75), was tied to Salt Typhoon.

To read the complete article see: Security Affairs