Overview
- Attackers exploited a Citrix NetScaler Gateway in early July to gain initial access, then pivoted to Citrix Virtual Delivery Agent hosts in the telecom’s MCS subnet.
- The intruders deployed the SNAPPYBEE (Deed RAT) backdoor via DLL sideloading by pairing malicious DLLs with legitimate antivirus executables including Norton, Bkav and IObit.
- Command-and-control traffic used HTTP and an unidentified TCP protocol and contacted aar.gandhibludtric[.]com, which threat intelligence previously linked to Salt Typhoon.
- Darktrace reports the activity was detected and remediated before escalation, with the company stating there was no dwell time.
- The intrusion matches a broader pattern of the China-linked group targeting telecoms and abusing edge-device flaws, with prior US cases involving theft of call records and intercepted communications.