Salt Typhoon APT Targets Global Telecom and Energy Sectors, Says Darktrace

A group of state-sponsored (APT) actors, known as Salt Typhoon, remains a significant threat to networks across the globe, reveals the latest report from cybersecurity research firm Darktrace.

According to the company’s analysis, shared with Hackread.com, the hackers, who are believed to be linked to the People’s Republic of China (PRC), are still finding new ways to breach critical infrastructure.

****Salt Typhoon****

Active since at least 2019, Salt Typhoon is an espionage group that targets crucial services, including telecommunications providers, energy networks, and government systems, across over 80 countries.

This group, also tracked under aliases like Earth Estries and GhostEmperor, is experts in stealth who use custom tools and newly discovered software vulnerabilities, including zero-day exploits, to maintain long-term network access.

As previously reported by Hackread.com, the group has executed high-impact breaches; in late 2024, they infiltrated a US state’s Army National Guard network for nearly a year. Furthermore, the FBI and Canada’s Cyber Centre warned in June 2025 that the group consistently targets global telecom networks, including major US companies like AT&T, Verizon, and T-Mobile, highlighting the strategic nature of their campaigns.

****Inside the July 2025 Intrusion****

According to Darktrace’s blog post, it recently observed one of Salt Typhoon’s intrusion attempts against a European telecommunications organisation. The attack likely began in the first week of July 2025 by exploiting a Citrix NetScaler Gateway appliance.

The attackers then moved to internal hosts used for virtual desktops (Citrix Virtual Delivery Agent (VDA) hosts), using an entry point possibly linked to a SoftEther VPN service to conceal their tracks.

The attackers delivered a malicious backdoor, called SNAPPYBEE (aka Deed RAT), to these internal machines using a technique called DLL sideloading. This method involves hiding their payload inside legitimate, trusted software, including antivirus programs like Norton Antivirus or Bkav Antivirus, to bypass traditional security checks.

Once installed, the backdoor contacted external servers (LightNode VPS endpoints) for instructions using a dual-channel setup to further evade detection.

****Timely Detection is the New Defence Strategy****

Fortunately, the intrusion was identified and stopped before it could fully escalate. Darktrace’s anomaly-based detection (Cyber AI Analyst) constantly looks for tiny deviations in normal network activity, flagging the attack in its very early stages.

Cyber AI Analyst summarising the attacker’s progression (Source: Darktrace)

The firm stated that “Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools,” reinforcing why checking for unusual network behaviour is essential. Therefore, organisations must move beyond simply checking against a list of known threats (signature matching) and instead focus on spotting the subtle actions of invisible enemies.

Neil Pathare, Associate Principal Consultant at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, said that moving beyond signature-based detection is essential when addressing intrusion activity.

He added that security teams should apply a zero-trust model for continuous verification and maintain constant monitoring for unusual processes or suspicious behaviour across peripheral devices and specialised network appliances. According to Pathare, this approach helps maintain trust in software and allows organisations to drive innovation confidently amid increasing risks.