{
	"id": "743bc55e-fee4-4490-8d1c-c9bf5cbb87a5",
	"created_at": "2026-04-06T00:19:32.537489Z",
	"updated_at": "2026-04-10T03:34:28.274911Z",
	"deleted_at": null,
	"sha1_hash": "6db70921dc6506a517c5bde1e9945d382d04bc59",
	"title": "Salty Much: Darktrace’s take on a recent Salt Typhoon intrusion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 812210,
	"plain_text": "Salty Much: Darktrace’s take on a recent Salt Typhoon intrusion\r\nBy Nathaniel Jones\r\nPublished: 2025-10-20 · Archived: 2026-04-05 21:43:28 UTC\r\nWhat is Salt Typhoon?\r\nSalt Typhoon represents one of the most persistent and sophisticated cyber threats targeting global critical\r\ninfrastructure today. Believed to be linked to state-sponsored actors from the People’s Republic of China (PRC),\r\nthis advanced persistent threat (APT) group has executed a series of high-impact campaigns against\r\ntelecommunications providers, energy networks, and government systems—most notably across the United States.\r\nActive since at least 2019, the group — also tracked as Earth Estries, GhostEmperor, and UNC2286 — has\r\ndemonstrated advanced capabilities in exploiting edge devices, maintaining deep persistence, and exfiltrating\r\nsensitive data across more than 80 countries. While much of the public reporting has focused on U.S. targets, Salt\r\nTyphoon’s operations have extended into Europe, the Middle East, and Africa (EMEA) where it has targeted\r\ntelecoms, government entities, and technology firms. Its use of custom malware and exploitation of high-impact\r\nvulnerabilities (e.g., Ivanti, Fortinet, Cisco) underscores the strategic nature of its campaigns, which blend\r\nintelligence collection with geopolitical influence [1].\r\nLeveraging zero-day exploits, obfuscation techniques, and lateral movement strategies, Salt Typhoon has\r\ndemonstrated an alarming ability to evade detection and maintain long-term access to sensitive environments. The\r\ngroup’s operations have exposed lawful intercept systems, compromised metadata for millions of users, and\r\ndisrupted essential services, prompting coordinated responses from intelligence agencies and private-sector\r\npartners worldwide. As organizations reassess their threat models, Salt Typhoon serves as a stark reminder of the\r\nevolving nature of nation-state cyber operations and the urgent need for proactive defense strategies.\r\nDarktrace’s coverage\r\nIn this case, Darktrace observed activity in a European telecommunications organization consistent with Salt\r\nTyphoon’s known tactics, techniques and procedures (TTPs), including dynamic-link library (DLL) sideloading\r\nand abuse of legitimate software for stealth and execution.\r\nInitial access\r\nThe intrusion began with exploitation of CVE-2025-5777, a vulnerability affecting Citrix NetScaler Gateway\r\nappliances, in the first week of July 2025. From there, the actor pivoted to Citrix Virtual Delivery Agent (VDA)\r\nhosts in the client’s Machine Creation Services (MCS) subnet. Initial access activities in the intrusion originated\r\nfrom an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation\r\nfrom the outset.\r\nTooling\r\nhttps://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion\r\nPage 1 of 5\n\nDarktrace subsequently observed the threat actor delivering a backdoor assessed with high confidence to be\r\nSNAPPYBEE (also known as Deed RAT) [2][3] to multiple Citrix VDA hosts. The backdoor was delivered to\r\nthese internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton\r\nAntivirus, Bkav Antivirus, and IObit Malware Fighter. This pattern of activity indicates that the attacker relied on\r\nDLL side-loading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups\r\nhave a history of employing this technique [4][5], enabling them to execute payloads under the guise of trusted\r\nsoftware and bypassing traditional security controls.\r\nCommand-and-Control (C2)\r\nThe backdoor delivered by the threat actor leveraged LightNode VPS endpoints for C2, communicating over\r\nboth HTTP and an unidentified TCP-based protocol. This dual-channel setup is consistent with Salt Typhoon’s\r\nknown use of non-standard and layered protocols to evade detection. The HTTP communications displayed by the\r\nbackdoor included POST requests with an Internet Explorer User-Agent header and Target URI patterns such as\r\n“/17ABE7F017ABE7F0”. One of the C2 hosts contacted by compromised endpoints was aar.gandhibludtric[.]com\r\n(38.54.63[.]75), a domain recently linked to Salt Typhoon [6].\r\nDetection timeline\r\nDarktrace produced high confidence detections in response to the early stages of the intrusion, with both the\r\ninitial tooling and C2 activities being strongly covered by both investigations by Darktrace Cyber AI AnalystTM\r\ninvestigations and Darktrace models. Despite the sophistication of the threat actor, the intrusion activity identified\r\nand remediated before escalating beyond these early stages of the attack, with Darktrace’s timely high-confidence detections likely playing a key role in neutralizing the threat.\r\nCyber AI Analyst observations\r\nDarktrace’s Cyber AI Analyst autonomously investigated the model alerts generated by Darktrace during the early\r\nstages of the intrusion. Through its investigations, Cyber AI Analyst discovered the initial tooling and C2 events\r\nand pieced them together into unified incidents representing the attacker’s progression.\r\nhttps://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion\r\nPage 2 of 5\n\nFigure 1: Cyber AI Analyst weaved together separate events from the intrusion into broader\r\nincidents summarizing the attacker’s progression.\r\nConclusion\r\nBased on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate\r\nconfidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA\r\nGhostEmperor/UNC2286). Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse\r\nof legitimate tools. As attackers increasingly blend into normal operations, detecting behavioral anomalies\r\nbecomes essential for identifying subtle deviations and correlating disparate signals. The evolving nature of Salt\r\nTyphoon’s tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain\r\ndifficult to detect using conventional methods alone. This intrusion highlights the importance of proactive\r\ndefense, where anomaly-based detections, not just signature matching, play a critical role in surfacing early-stage\r\nactivity.\r\nCredit to Nathaniel Jones (VP, Security \u0026 AI Strategy, FCISO), Sam Lister (Specialist Security Researcher),\r\nEmma Foulger (Global Threat Research Operations Lead), Adam Potter (Senior Cyber Analyst)\r\nEdited by Ryan Traill (Analyst Content Lead)\r\nAppendices\r\nIndicators of Compromise (IoCs)\r\nIoC-Type-Description + Confidence\r\n89.31.121[.]101 – IP Address – Possible C2 server\r\nhxxp://89.31.121[.]101:443/WINMM.dll - URI – Likely SNAPPYBEE download\r\nb5367820cd32640a2d5e4c3a3c1ceedbbb715be2 - SHA1 – Likely SNAPPYBEE download\r\nhxxp://89.31.121[.]101:443/NortonLog.txt - URI - Likely DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/123.txt - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/123.tar - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/pdc.exe - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443//Dialog.dat - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/fltLib.dll - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/DisplayDialog.exe - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/DgApi.dll - URI - Likely DLL side-loading activity\r\nhttps://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion\r\nPage 3 of 5\n\nhxxp://89.31.121[.]101:443/dbindex.dat - URI - Likely DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/1.txt - URI - Possible DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/imfsbDll.dll – Likely DLL side-loading activity\r\nhxxp://89.31.121[.]101:443/imfsbSvc.exe - URI – Likely DLL side-loading activity\r\naar.gandhibludtric[.]com – Hostname – Likely C2 server\r\n38.54.63[.]75 – IP – Likely C2 server\r\n156.244.28[.]153 – IP – Possible C2 server\r\nhxxp://156.244.28[.]153/17ABE7F017ABE7F0 - URI – Possible C2 activity\r\nMITRE TTPs\r\nTechnique | Description\r\nT1190 | Exploit Public-Facing Application - Citrix NetScaler Gateway compromise\r\nT1105 | Ingress Tool Transfer – Delivery of backdoor to internal hosts\r\nT1665 | Hide Infrastructure – Use of SoftEther VPN for C2\r\nT1574.001 | Hijack Execution Flow: DLL – Execution of backdoor through DLL side-loading\r\nT1095 | Non-Application Layer Protocol – Unidentified application-layer protocol for C2 traffic\r\nT1071.001| Web Protocols – HTTP-based C2 traffic\r\nT1571| Non-Standard Port – Port 443 for unencrypted HTTP traffic\r\nDarktrace Model Alerts during intrusion\r\nAnomalous File::Internal::Script from Rare Internal Location\r\nAnomalous File::EXE from Rare External Location\r\nAnomalous File::Multiple EXE from Rare External Locations\r\nAnomalous Connection::Possible Callback URL\r\nAntigena::Network::External Threat::Antigena Suspicious File Block\r\nAntigena::Network::Significant Anomaly::Antigena Significant Server Anomaly Block\r\nAntigena::Network::Significant Anomaly::Antigena Controlled and Model Alert\r\nAntigena::Network::Significant Anomaly::Antigena Alerts Over Time Block\r\nhttps://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion\r\nPage 4 of 5\n\nAntigena::Network::External Threat::Antigena File then New Outbound Block  \r\nReferences\r\n[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a\r\n[2] https://www.trendmicro.com/en_gb/research/24/k/earth-estries.html\r\n[3] https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/earth-estries/IOC_list-EarthEstries.txt\r\n[4] https://www.trendmicro.com/en_gb/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\n[5] https://lab52.io/blog/deedrat-backdoor-enhanced-by-chinese-apts-with-advanced-capabilities/\r\n[6] https://www.silentpush.com/blog/salt-typhoon-2025/\r\nThe content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of\r\ncybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the\r\ninformation is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding\r\nthe completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.\r\nNothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting\r\non any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for\r\ninformational purposes only and do not imply affiliation, endorsement, or recommendation.\r\nDarktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on\r\nthe information in this blog.\r\nThe cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update,\r\nmodify, or remove any content.\r\nSource: https://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion\r\nhttps://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion"
	],
	"report_names": [
		"salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion"
	],
	"threat_actors": [
		{
			"id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6",
			"created_at": "2022-10-25T16:07:23.605611Z",
			"updated_at": "2026-04-10T02:00:04.685162Z",
			"deleted_at": null,
			"main_name": "FamousSparrow",
			"aliases": [
				"Earth Estries"
			],
			"source_name": "ETDA:FamousSparrow",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633",
			"created_at": "2023-11-04T02:00:07.676869Z",
			"updated_at": "2026-04-10T02:00:03.389898Z",
			"deleted_at": null,
			"main_name": "Earth Estries",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Estries",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434772,
	"ts_updated_at": 1775792068,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6db70921dc6506a517c5bde1e9945d382d04bc59.pdf",
		"text": "https://archive.orkl.eu/6db70921dc6506a517c5bde1e9945d382d04bc59.txt",
		"img": "https://archive.orkl.eu/6db70921dc6506a517c5bde1e9945d382d04bc59.jpg"
	}
}