Salt Typhoon Intrusion in European Telecommunications Organization

Free, Unbiased, and Open threat intelligence

Salt Typhoon Intrusion in European Telecommunications Organization

threat Profile

HIGH

Description

Salt Typhoon (aka Earth Estries, GhostEmperor, UNC2286), a China-linked cyber espionage APT group, conducted an intrusion against a European telecommunications organization in July 2025. The attack involved exploitation of Citrix NetScaler Gateway, DLL sideloading via legitimate antivirus software to deploy SNAPPYBEE backdoor, and use of VPS infrastructure for command and control. Darktrace detected early-stage intrusion activity including tooling delivery and C2 communications before escalation.

MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1574.002 - Hijack Execution Flow: DLL Side-Loading T1071.001 - Application Layer Protocol: Web Protocols T1071 - Application Layer Protocol T1090 - Proxy T1133 - External Remote Services

Related Entities

Threat Actors

Earth Estries GhostEmperor

Malware

Deed RAT SNAPPYBEE

Indicators of Compromise (3)

38.54.63[.]75

IP address for C2 domain aar.gandhibludtric[.]com

aar.gandhibludtric[.]com

C2 domain used by SNAPPYBEE backdoor, recently linked to Salt Typhoon

89.31.121[.]101

Possible C2 server

Metadata

Published

7 months ago

Views