Overview
- Darktrace reported that attackers exploited a Citrix NetScaler Gateway in the first week of July 2025 to gain initial access to a European telecommunications network.
- Following entry, the intruders pivoted to Citrix Virtual Delivery Agent hosts in the Machine Creation Services subnet and obscured their origin via infrastructure linked to the SoftEther VPN service.
- The SNAPPYBEE (aka Deed RAT) backdoor was deployed through DLL sideloading by pairing malicious libraries with legitimate antivirus executables from Norton, Bkav and IObit.
- Command‑and‑control relied on LightNode VPS endpoints over HTTP and an unidentified TCP protocol, including traffic to aar.gandhibludtric[.]com that threat intelligence has associated with Salt Typhoon.
- Darktrace assessed the activity as consistent with Salt Typhoon with moderate confidence and said the intrusion was remediated before escalation, as officials have previously tied the group to large‑scale espionage against telecom providers.