Suspected Chinese Cyber Espionage Group Targets European Telecom Infrastructure

by Jessica Moore P.E. • 4 min read
Suspected Chinese Cyber Espionage Group Targets European Telecom Infrastructure - Professional coverage

European Telecommunications Provider Targeted in Sophisticated Cyberattack

Security researchers at Darktrace have identified what they assess to be a cyberespionage operation against a European telecommunications firm, with evidence pointing to the China-linked threat actor known as Salt Typhoon. According to their report, the intrusion occurred in early July 2025 and involved the exploitation of vulnerable Citrix NetScaler Gateway appliances to gain initial network access.

Connection to Broader Cyberespionage Campaign

Analysts suggest this incident represents the latest activity from Salt Typhoon, a group that security officials have previously linked to extensive operations against telecommunications providers. The FBI previously disclosed that the group had compromised American telecom networks, stealing metadata belonging to “nearly every American” according to official statements. The group has been active since at least 2019 and has targeted organizations across more than 80 countries.

Exploitation of Citrix Vulnerabilities

The report states that attackers exploited security flaws in Citrix NetScaler Gateway appliances during the first week of July 2025. While researchers didn’t confirm the specific vulnerability used, sources indicate the timing coincided with defenders patching several recent Citrix flaws, including CVE-2025-5349 and CVE-2025-5777 from June 2025.

According to the analysis, Citrix had a busy summer addressing multiple critical vulnerabilities, including CVE-2025-6543, a memory overflow flaw reportedly exploited in the wild, and CVE-2025-5777, which security researchers dubbed “CitrixBleed 2.” The Cybersecurity and Infrastructure Security Agency (CISA) quickly added this vulnerability to its Known Exploited Vulnerabilities catalog.

In August 2025, Citrix addressed three additional vulnerabilities – CVE-2025-7775 (called CitrixBleed 3 by some researchers), CVE-2025-7776, and CVE-2025-8424 – though security experts noted attackers had already begun exploiting these flaws before patches were available.

Sophisticated Attack Methodology

After compromising the Citrix NetScaler appliance, analysts suggest the attackers pivoted to Citrix Virtual Delivery Agent (VDA) hosts within the client’s Machine Creation Services subnet. Darktrace’s threat hunters noted that initial access activities potentially originated from an endpoint associated with the SoftEther VPN service, indicating infrastructure obfuscation from the beginning of the operation.

The suspected spies then deployed a backdoor to multiple Citrix VDA hosts. According to Darktrace’s field CISO Nathaniel Jones, “The actor progressed to backdooring multiple Citrix VDA hosts with SNAPPYBEE (aka Deed RAT) and establishing C2 when Darktrace flagged it.” Researchers at Trend Micro had previously linked this modular backdoor to Salt Typhoon operations.

Evasion Techniques and Infrastructure

The attackers employed several sophisticated techniques to avoid detection, including:

  • DLL sideloading: Using legitimate applications including Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter to load malicious Dynamic Link Library files
  • LightNode VPS endpoints: Utilizing these for command and control communication over both HTTP and an unidentified TCP-based protocol
  • Infrastructure overlap: Using domains previously linked to Salt Typhoon by threat intelligence firm Silent Push, including aar.gandhibludtric[.]com (38.54.63[.]75)

Attribution and Security Response

Based on overlaps in tactics, techniques, procedures, staging patterns, infrastructure, and malware, Darktrace researchers assessed with “moderate confidence” that the observed activity was consistent with Salt Typhoon, also known as Earth Estries. This group has been tracked by other security vendors under names including ALA GhostEmperor and UNC2286, with extensive documentation of their operations.

The Dutch National Cyber Security Centre had previously warned about likely mass exploitation of some of the vulnerabilities used in this attack chain. Fortunately, according to Darktrace’s detailed analysis, the security platform identified and stopped the intrusion before it escalated beyond the early stages, resulting in minimal dwell time for the attackers.

This incident highlights ongoing geopolitical tensions in cyberspace and the continuing challenge of securing critical infrastructure against determined state-sponsored threat actors. The telecommunications sector remains a high-value target for intelligence collection due to the vast amounts of metadata and communications passing through these networks.

This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.

Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.

Related Posts

Critical 7-Zip Security Flaws Expose Users to Remote Code Execution Attacks - Professional coverage
Critical 7-Zip Security Flaws Expose Users to Remote Code Execution Attacks

Security researchers have identified two critical directory traversal vulnerabilities in 7-Zip that could allow attackers to execute malicious code on vulnerable systems. These flaws affect millions of users who haven’t updated to the patched versions released this summer.

Security experts are sounding the alarm about two critical security vulnerabilities in the popular 7-Zip file archiver that could put millions of users at risk of remote code execution attacks. The flaws, tracked as CVE-2025-11001 and CVE-2025-11002, represent serious threats to both individual users and organizations relying on this widely-used compression tool.

Understanding the 7-Zip Security Crisis

Unsecured Marketing Database Exposes 40 Billion Confidential Records in Latest Cybersecurity Inciden - Professional coverage
Unsecured Marketing Database Exposes 40 Billion Confidential Records in Latest Cybersecurity Incident

Cybersecurity researchers uncovered a massive unprotected database containing 40 billion records with sensitive personal information. The exposure highlights ongoing vulnerabilities in corporate data protection practices despite increasing digital threats.

Massive Data Exposure Discovered

In what cybersecurity analysts are calling one of the largest data exposures of 2025, approximately 40 billion records were found sitting completely unsecured in a publicly accessible database. According to reports, the unprotected data repository contained everything from email addresses and message subjects to sensitive banking and healthcare information, with researchers noting they “saw numerous records marked as confidential” during their investigation.

Microsoft Neutralizes 200+ Fraudulent Certificates in Teams Malware Campaign - Professional coverage
Microsoft Neutralizes 200+ Fraudulent Certificates in Teams Malware Campaign

Microsoft has disrupted a major malware campaign using fraudulent certificates to sign fake Teams installers. The threat actor deployed backdoors and ransomware through spoofed download sites targeting unsuspecting users. Security experts warn this represents an escalation in cybercriminal tactics.

Major Certificate Revocation Operation

Microsoft Threat Intelligence has reportedly revoked more than 200 certificates that were fraudulently signed by threat actors and used in fake Microsoft Teams setup files to deliver backdoors and malware. According to reports, the campaign was identified in late September and involved sophisticated social engineering techniques to compromise users.

Leave a Reply

Your email address will not be published. Required fields are marked *