Salt Typhoon, a China-linked advanced persistent threat (APT) group known for its persistence and technical sophistication, is expanding its global cyber-espionage campaigns.
Also tracked as Earth Estries, GhostEmperor, and UNC2286, the group has intensified its assaults on telecommunications, energy, and government networks using a mix of zero-day exploits and stealth techniques such as DLL sideloading.
Exploitation and Initial Access
According to Darktrace, recent activity tied to Salt Typhoon began with the exploitation of a Citrix NetScaler Gateway appliance, allowing the attackers to infiltrate a European telecommunications network.
Once inside, they pivoted to Citrix Virtual Delivery Agent (VDA) hosts through the Machine Creation Services subnet, employing SoftEther VPN for anonymity.
This approach effectively masked their command infrastructure from defenders while enabling sustained reconnaissance and lateral movement within internal environments.
Trend Micro’s concurrent research further corroborates the exploitation patterns, noting that the group frequently leverages public-facing vulnerabilities in products like Ivanti Connect Secure, Fortinet FortiClient, and Sophos Firewall for initial access.
These exploits have enabled privilege escalation, remote code execution, and long-term persistence across sensitive networks since 2019.
Advanced Tooling and Command Framework
A key element of the group’s toolkit is the SNAPPYBEE backdoor, also known as Deed RAT, which Darktrace detected in compromised environments delivered via DLL sideloading.
Attackers disguised malicious DLLs alongside legitimate antivirus executables such as Norton and IObit Malware Fighter to evade detection. This method allowed malicious payloads to run under trusted process names, reducing the likelihood of being flagged by signature-based solutions.
Trend Micro’s assessment of Earth Estries revealed that SNAPPYBEE is part of a broader framework including the modular GHOSTSPIDER and MASOL RAT backdoors, both designed for encrypted communication over TLS and capable of dynamically loading new modules in memory.
These tools leverage non-standard HTTP and TCP protocols to bypass network monitoring systems and utilize layered C2 infrastructures managed by separate operator teams, reflecting a highly organized operational model.
Global Threat Landscape and Defensive Implications
Active in over 80 countries, Salt Typhoon’s operations illustrate the evolution of espionage-as-a-service models within state-aligned threat ecosystems. Their campaigns have exposed lawful intercept systems and exfiltrated metadata on millions of users.
Darktrace’s AI-driven detections played a critical role in identifying anomalies correlated with this intrusion, demonstrating the crucial role of behavioral analytics over static detection signatures.
As the attackers continue to integrate legitimate software abuse and VPN obfuscation into their operations, defenders are urged to implement anomaly-based intrusion detection, continuous C2 monitoring, and patch lifecycle management across exposed services.
Salt Typhoon exemplifies the need for adaptive security that matches the agility of nation-state adversaries.
Indicators of Compromise (IoCs)
IoC-Type-Description + Confidence
89.31.121[.]101 – IP Address – Possible C2 server
hxxp://89.31.121[.]101:443/WINMM.dll – URI – Likely SNAPPYBEE download
b5367820cd32640a2d5e4c3a3c1ceedbbb715be2 – SHA1 – Likely SNAPPYBEE download
hxxp://89.31.121[.]101:443/NortonLog.txt – URI – Likely DLL side-loading activity
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 group known for its persistence and technical sophistication){kind=link}