In May 2025, infrastructure linked to Salt Typhoon, a China-based threat group associated with the Ministry of State Security (MSS), was observed in preparation for targeting telecom networks across Europe. Months later, the same infrastructure was confirmed in active use during an intrusion involving a Citrix NetScaler Gateway vulnerability.
Severity: High
Threat Actor Profile
- Group Name: Salt Typhoon
- Aliases: GhostEmperor, FamousSparrow, Earth Estries, UNC2286
- Attribution: People’s Republic of China (PRC), Ministry of State Security (MSS)
- Motivations: Cyber-espionage, geopolitical surveillance, long-term persistence
- Target Sectors: Telecommunications, critical infrastructure, government, defense
- Regions Targeted: U.S., EMEA, APAC – Over 80 countries confirmed
Threat Details
- Initial Access: The group exploited a vulnerability in Citrix NetScaler Gateway to gain access to externally facing assets. The vulnerability provided a reliable entry point into telecom infrastructure, consistent with Salt Typhoon’s previous campaigns.
- Payload Delivery: Following exploitation, a custom backdoor was transferred into the environment using standard ingress tool transfer techniques, allowing further post-exploitation activities.
- Execution: The malware was executed through DLL side-loading via legitimate antivirus software (such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter) to evade detection.
- Command and Control:
- HTTP POST requests were used for initial beaconing, embedded with Internet Explorer user-agent strings and consistent URI patterns (e.g., /17ABE7F017ABE7F0).
- A custom TCP protocol was employed for ongoing C2 traffic, operating outside of standard application protocols and making inspection & detection more challenging.
- C2 traffic was transmitted over TCP port 443 but notably without encryption, mimicking legitimate HTTPS behavior while evading SSL/TLS decryption tools.
- SoftEther VPN was deployed to mask the origin and destination of C2 traffic
Infrastructure Observations
A key domain used during the campaign – aar[.]gandhibludtric[.]com, was resolved to 38.54.63[.]75, during the period of May 5 to June 5, 2025, suggesting prepositioning activity well before the intrusion was operationalized. The infrastructure was hosted on LightNode VPS, a provider previously linked to APT-related activity.
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Command and Control | Ingress Tool Transfer | T1105 |
| Command and Control | Hide Infrastructure | T1665 |
| Persistence, Privilege Escalation, Defense Evasion | Hijack Execution Flow: DLL | T1574.001 |
| Command and Control | Non-Application Layer Protocol | T1095 |
| Command and Control | Web Protocols (HTTP/S) | T1071.001 |
| Command and Control | Non-Standard Port | T1571 |
Recommendations
- Immediately patch and continuously monitor edge devices and public-facing applications like Citrix NetScaler Gateway, which are common initial access vectors for Salt Typhoon.
- Monitor for unusual HTTP POST traffic, especially those using legacy user agents like Internet Explorer and unusual URI patterns like /17ABE7F017ABE7F0.
- Limit lateral movement by ensuring users and applications only have the minimum permissions necessary, especially on sensitive hosts like Citrix VDA hosts.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/5182e02550ed8edb4923cda630cd228d4937b67353a7b5a9f0e3cf3d399a423a/iocs
Source:
- https://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion
- https://www.silentpush.com/blog/detecting-salt-typhoon/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.