Home Innovation Citrix Salt Typhoon Exploits Critical...

Salt Typhoon Exploits Critical Citrix NetScaler Flaw in Telecom Hack

Citrix

Business Honor
22 October, 2025

China-linked group targets European telecom using advanced Citrix vulnerabilities and stealth tactics

A China-based cyber espionage group called Salt Typhoon (also monitored under the names Earth Estries, GhostEmperor, UNC2286) has taken advantage of a devastating flaw in a Citrix NetScaler Gateway appliance to compromise a European telecommunications organization, cybersecurity analysts disclosed.

According to independent investigations by Darktrace, the attack chain initiated in July 2025 when the threat actors leveraged the Citrix NetScaler Gateway weakness. From there they moved laterally into Citrix Virtual Delivery Agent (VDA) hosts within the company’s network. The first intrustion was preceded by the dropping of the SNAPPYBEE (or Deed RAT) backdoor through DLL sideloading – where real antivirus executables like Norton, Bkav and IObit were co-opted to run malicious code masquerading as trusted software. Salt Typhoon has an operational history dating back to at least 2019 and has a presence across telecommunications, energy and government sectors in over 80 nations. The modus operandi of the group is characterized by profound persistence, stealthy tactics and sophisticated evasion techniques — all of which were evident in this incident.

This breach serves to underscore the value of active defence, wherein anomaly-based detections — and not merely signature matching — come into play," Darktrace said. The Citrix NetScaler vulnerabilities (such as CVE 2025 5777, CVE 2025 6543, CVE 2025 7775 and more) have been named as critical vulnerabilities, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included them on their list of Known Exploited Vulnerabilities. Experts advise that organizations that utilize Citrix edge appliances need to be very proactive to patch and monitor for unusual activity.