China-Linked Salt Typhoon Prepared Attack Infrastructure Targeting Global Telecoms

Published Date: October 27, 2025

Category: ShadowOpsIntel

In May 2025, infrastructure linked to Salt Typhoon, a China-based threat group associated with the Ministry of State Security (MSS), was observed in preparation for targeting telecom networks across Europe. Months later, the same infrastructure was confirmed in active use during an intrusion involving a Citrix NetScaler Gateway vulnerability.

Severity: High

Threat Actor Profile

Group Name: Salt Typhoon
Aliases: GhostEmperor, FamousSparrow, Earth Estries, UNC2286
Attribution: People’s Republic of China (PRC), Ministry of State Security (MSS)
Motivations: Cyber-espionage, geopolitical surveillance, long-term persistence
Target Sectors: Telecommunications, critical infrastructure, government, defense
Regions Targeted: U.S., EMEA, APAC – Over 80 countries confirmed

Threat Details

Initial Access: The group exploited a vulnerability in Citrix NetScaler Gateway to gain access to externally facing assets. The vulnerability provided a reliable entry point into telecom infrastructure, consistent with Salt Typhoon’s previous campaigns.
Payload Delivery: Following exploitation, a custom backdoor was transferred into the environment using standard ingress tool transfer techniques, allowing further post-exploitation activities.
Execution: The malware was executed through DLL side-loading via legitimate antivirus software (such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter) to evade detection.
Command and Control:
- HTTP POST requests were used for initial beaconing, embedded with Internet Explorer user-agent strings and consistent URI patterns (e.g., /17ABE7F017ABE7F0).
- A custom TCP protocol was employed for ongoing C2 traffic, operating outside of standard application protocols and making inspection & detection more challenging.
- C2 traffic was transmitted over TCP port 443 but notably without encryption, mimicking legitimate HTTPS behavior while evading SSL/TLS decryption tools.
- SoftEther VPN was deployed to mask the origin and destination of C2 traffic

Infrastructure Observations

A key domain used during the campaign – aar[.]gandhibludtric[.]com, was resolved to 38.54.63[.]75, during the period of May 5 to June 5, 2025, suggesting prepositioning activity well before the intrusion was operationalized. The infrastructure was hosted on LightNode VPS, a provider previously linked to APT-related activity.

MITRE ATT&CK

Tactic	Technique	ID
Initial Access	Exploit Public-Facing Application	T1190
Command and Control	Ingress Tool Transfer	T1105
Command and Control	Hide Infrastructure	T1665
Persistence, Privilege Escalation, Defense Evasion	Hijack Execution Flow: DLL	T1574.001
Command and Control	Non-Application Layer Protocol	T1095
Command and Control	Web Protocols (HTTP/S)	T1071.001
Command and Control	Non-Standard Port	T1571

Recommendations

Immediately patch and continuously monitor edge devices and public-facing applications like Citrix NetScaler Gateway, which are common initial access vectors for Salt Typhoon.
Monitor for unusual HTTP POST traffic, especially those using legacy user agents like Internet Explorer and unusual URI patterns like /17ABE7F017ABE7F0.
Limit lateral movement by ensuring users and applications only have the minimum permissions necessary, especially on sensitive hosts like Citrix VDA hosts.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/5182e02550ed8edb4923cda630cd228d4937b67353a7b5a9f0e3cf3d399a423a/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.