A European telecommunications organization was the target of a cyberattack executed by a threat actor associated with Salt Typhoon, a China-nexus cyber espionage group. According to a report from Darktrace, the breach occurred during the first week of July 2025. The attackers successfully gained initial access to the network by exploiting a vulnerability in a Citrix NetScaler Gateway appliance.

Attack Details and Initial Access

The primary vector for the intrusion was the exploitation of a security flaw in the victim’s Citrix edge device. This allowed the threat actors to establish a foothold within the telecommunications network. Following the initial compromise, the attackers deployed the Snappybee malware to further their objectives. The incident highlights a continued pattern of threat actors targeting internet-facing infrastructure to infiltrate corporate and government networks. The attack was identified and analyzed by the cybersecurity firm Darktrace, which attributed the activity to the Salt Typhoon group.

Threat Actor Profile: Salt Typhoon

Salt Typhoon, an advanced persistent threat (APT) group, is also known by several other names, including Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. Believed to have ties to China, the group has been active since at least 2019. Salt Typhoon gained significant attention for previous campaigns targeting telecommunications service providers, energy networks, and government systems, particularly within the United States. The adversary is known for its proficiency in exploiting security flaws in edge devices, maintaining long-term, deep persistence within compromised networks, and exfiltrating sensitive data. The group’s operational reach is extensive, having targeted victims in more than 80 countries across North America, Europe, the Middle East, and Africa.