Overview
- Darktrace reported that attackers used a Citrix NetScaler Gateway exploit in early July 2025 to enter a European telecommunications network.
- After initial access, the intruders pivoted to Citrix Virtual Delivery Agent hosts in the Machine Creation Services subnet for lateral movement.
- The operators deployed the SNAPPYBEE (Deed RAT) backdoor via DLL sideloading by pairing malicious DLLs with legitimate antivirus executables from Norton, Bkav and IObit.
- Command-and-control traffic used HTTP and an unidentified TCP protocol through LightNode VPS infrastructure, with domains including aar.gandhibludtric[.]com previously tied to the same threat actor; initial activity appeared to originate from SoftEther VPN infrastructure.
- Darktrace assessed the operation as consistent with the China-linked Salt Typhoon group and said the intrusion was contained before deeper compromise; Western agencies have linked the group to prior theft of call records and access to lawful intercept systems.