- The infamous hacker group Salt Typhoon has likely targeted Telecom organizations
- Researchers identified tactics the group used in the past
- Salt Typhoon breaches up to 8 US telecom networks in massive cyber espionage campaign
The infamous Chinese hacker group Salt Typhoon has again been linked to intrusions against telecommunications companies – this time in Europe.
A new report from Darktrace claims the group has been observed “targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits.”
The early intrusion activity discovered mirrors previous Salt Typhoon tactics, such as the prolific attacks on up to 8 different telecommunications organizations in a far-reaching and potent multi-year campaign, which resulted in the group stealing information from millions of US telecom customers by using a high-severity Cisco flaw to gain access and eventually collect traffic from the network devices connected to the network devices.
DLL page loading
In the latest incident, Darktrace assessed with moderate confidence that Salt Typhoon abused legitimate tools with stealth and persistence – exploiting a Citrix NetScaler Gateway appliance to gain initial access.
From there, the criminals deployed the Snappybee malware, also known as the Deed RAT, which is launched using a technique called DLL side-loading – another tactic commonly used by Chinese threat actors.
“The backdoor was delivered to these internal endpoints as a DLL along with legitimate executables for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace explained.
“This pattern of activity indicates that the attacker relied on DLL page loading via legitimate antivirus software to execute their payload. Salt Typhoon and similar groups have a history of using this technique, enabling them to execute payloads under the guise of trusted software and bypass traditional security controls.”
Darktrace says the intrusion was identified and remediated before it could escalate beyond the early stages of the attack – neutralizing the threat.
This highlights the critical importance of proactive, anomaly-based defense and detection over the more traditional signature-based methods, especially given the rise of persistent, state-sponsored threat actors.
The best antivirus for all budgets
