Executive Summary

Salt Typhoon, a sophisticated Advanced Persistent Threat (APT) group linked to the People's Republic of China, was recently observed attempting to infiltrate a European telecommunications organization. The campaign, which began in July 2025, leveraged a known vulnerability in a Citrix NetScaler Gateway for initial access. The attackers then deployed a backdoor called SNAPPYBEE (also known as Deed RAT), a tool shared among several Chinese APTs. To evade security controls, the group used DLL side-loading, masking their malware with legitimate executables from security vendors. The intrusion was detected and thwarted by Darktrace in its early stages, preventing significant damage. This incident highlights the persistent threat of nation-state actors targeting critical infrastructure for espionage and prepositioning.

Threat Overview

The attack showcases a classic APT methodology focused on stealth and persistence. Salt Typhoon gained initial access by exploiting a vulnerability in a Citrix NetScaler Gateway appliance. Once inside, they moved laterally to Citrix Virtual Delivery Agent hosts. The core of their post-exploitation activity was the deployment of the SNAPPYBEE backdoor. The attackers employed advanced evasion tactics, notably DLL side-loading, where the malicious SNAPPYBEE.dll was placed in the same directory as legitimate, signed executables from well-known antivirus products like Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This causes the legitimate application to load the malicious DLL, allowing the backdoor to execute under the guise of a trusted process. For command-and-control (C2), the group utilized LightNode VPS endpoints and non-standard protocols to further obscure their communications.

Technical Analysis

The attack chain demonstrates a combination of common and advanced techniques:

• Initial Access: T1190 - Exploit Public-Facing Application. The group exploited a vulnerability in a Citrix NetScaler Gateway, a common target for APTs seeking entry into corporate networks.
• Execution and Defense Evasion: T1574.002 - DLL Side-Loading. This was the key technique for executing the SNAPPYBEE backdoor. By placing their malicious DLL alongside a legitimate executable (e.g., NortonSecurity.exe), they abused the Windows DLL search order to load their malware. This is a highly effective method for bypassing application whitelisting and deceiving security analysts.
• Command and Control: T1071 - Application Layer Protocol. The use of non-standard protocols for C2 communications is a common tactic to evade signature-based network detection. The use of commercial VPS providers like LightNode helps obscure the true origin of the C2 infrastructure.
• Persistence: While not explicitly detailed, backdoors like SNAPPYBEE typically establish persistence through methods like T1547.001 - Registry Run Keys / Startup Folder to ensure they survive system reboots.

Impact Assessment

Although this specific attack was detected early, a successful intrusion by Salt Typhoon could have severe consequences for a telecommunications provider. The primary goal of such an attack is typically cyber-espionage, including the theft of sensitive customer data, intellectual property, and network configuration details. A secondary goal is often prepositioning, where the attacker maintains long-term access to the network, allowing them to launch disruptive attacks or further espionage campaigns at a later date. Compromise of a major telecom can have cascading effects on national security, government communications, and the economy.

Cyber Observables for Detection

Security teams should hunt for indicators of this activity:

Detection & Response

Detecting DLL side-loading requires focusing on process relationships and behaviors.

1. Process Monitoring: Use an EDR solution to perform D3-PA: Process Analysis. Create detection rules that alert when a legitimate, signed process (like an AV executable) loads an unsigned or newly created DLL from the same directory. Monitor for processes making network connections to unusual external IP addresses.
2. File Integrity Monitoring: Implement D3-FA: File Analysis on critical systems and application directories. Alert on the creation of new DLL files in directories that contain trusted executables, especially those for security products.
3. Network Traffic Analysis: Employ D3-NTA: Network Traffic Analysis to identify C2 communications. Since attackers used non-standard protocols, focus on identifying long-lived, low-and-slow connections or connections to known malicious or newly registered domains/IPs. Encrypted traffic analysis and JA3/JA3S fingerprinting can help identify malicious TLS traffic.

Mitigation

Defending against this type of attack requires a defense-in-depth strategy.

• Application Control: Implement application control solutions like AppLocker to restrict which executables and DLLs are allowed to run. A properly configured policy can prevent a legitimate application from loading an unauthorized DLL. This is a form of D3-EAL: Executable Allowlisting.
• Patch Management: Keep public-facing appliances like Citrix NetScaler fully patched to prevent initial access. This is a fundamental aspect of D3-SU: Software Update.
• Attack Surface Reduction: Harden systems by enabling Attack Surface Reduction (ASR) rules in Microsoft Defender, such as the rule that blocks processes originating from PSExec and WMI commands, which can disrupt lateral movement.
• System Hardening: Follow vendor guidance for hardening Citrix environments, including restricting access to management interfaces and disabling unnecessary services.