Cybersecurity programs typically focus on protecting core applications and digital assets. But what if the bad guys start targeting trusted defensive measures?
This was the case as reported by Darktrace, a cybersecurity platform provider. Its report sheds light on a sophisticated cyber intrusion linked to Salt Typhoon. The threat actor group is believed to be operated by China's Ministry of State Security, which conducts cyber espionage campaigns against other countries.
The recent attack features a blend of zero-day exploitation and trusted software abuse. In this instance, Salt Typhoon infiltrated a European telecommunications provider through a gateway device. The attackers then executed a familiar—but evolving—arsenal of stealth techniques.
These included DLL sideloading and abusing trusted antivirus software—such as Norton, Bkav, and IObit—to mask malicious payloads under legitimate binaries. The campaign also deployed a custom backdoor known as SNAPPYBEE (aka Deed RAT) by using a dual command-and-control channel (HTTP and unidentified TCP) to sustain the covert access.
Darktrace analysts attribute the incident to Salt Typhoon based on overlapping tactics, infrastructure, and malware patterns seen in prior operations by the group. The event underscores a growing trend: nation-state actors are increasingly weaponizing legitimate tools and supply-chain software to bypass traditional security controls and AI-powered detection.
This article explores how zero-day exploits, trusted application hijacking, and layered obfuscation signal an evolution in espionage tradecraft. You can also learn about the implications for security teams as they defend enterprises and what this particular attack reveals about the global geopolitical undercurrents of cyber conflicts.
Entry Point: The Citrix Exploit
The initial Salt Typhoon access occurred via a Citrix NetScaler Gateway. The attackers leveraged the vulnerability to pivot into the telecom provider’s internal network. This allowed them to compromise virtual delivery agent hosts, which provide applications and desktops to remote end-users.
Attackers concealed their origins using the SoftEther VPN infrastructure, an open-source, multi-protocol, high-speed virtual network. The attackers then created multiple proxy layers to obscure geographic attribution. This made it possible to maintain ongoing control over the telecom’s internal network.
Abusing the Trust of Antivirus Software
In addition to embedding malicious DLLs alongside legitimate antivirus binaries to execute code invisibly, Salt Typhoon deployed the SNAPPYBEE (aka Deed RAT) backdoor. This allowed them to create dual HTTP and TCP Command & Control (C2) channels. The multi-protocol design of this backdoor makes attacks resilient against detection and takedowns.
“Salt Typhoon has demonstrated its capability to conceal itself within legitimate enterprise software to execute attacks,” said Nivedita Murthy, a Senior Staff Consultant who commented on the incident for Black Duck, which provides application security solutions. “These attacks appear to be highly intentional and deterministic.”
This attack also represents trends in stealth and legitimate abuse. Threat actors are increasingly leveraging legitimate enterprise tools, signed binaries, and commercial software ecosystems to evade modern detection systems.
Defensive Lessons for Enterprises
Murthy also points out that unusual behavior from legitimate software is generally given low priority. However, this behavior may serve as a precursor to future campaigns.
To combat this, security teams can take several actions:
- Reassess policies and processes.
- Elevate the severity of such findings.
- Perform checks upon discovery.
- Monitor for reconnaissance efforts on networks and software.
- Watch for deviations in the behavior of legitimate software.
- Conduct thorough investigations.
By adopting this proactive and vigilant approach, as recommended by Murthy, security teams can better detect and respond to threats like Salt Typhon.
Additional practical advice for security teams includes monitoring DLL loading behaviors, applying behavioral analytics, rapidly patching Citrix appliances, and segmenting access to critical systems.
“Moving beyond signature-based detection is necessary when dealing with such intrusion activity,” added Neil Pathare, an Associate Principal Consultant and a colleague of Murthy at Black Duck. “Security teams should always implement a zero-trust model for continued verification and continuously monitor for unusual processes and suspicious behavior on peripheral devices as well as specialized network appliances. Doing so contributes to ensuring uncompromised trust in software.”
Considering the Geopolitical Undercurrent
Given the current geopolitical relationship between the US and China, attacks like this are sure to keep occurring. The two countries compete in world markets. Plus, mutual distrust exists across economic, technological, and military domains.
This campaign also symbolizes broader China-linked cyber operations targeting telecom and communications infrastructure as part of its strategic intelligence-gathering efforts.
“Organizations should expect stealthy activity that blends with normal operations when facing Salt Typhoon,” said Jason Soroko, a Senior Fellow at Sectigo, a provider of comprehensive certificate lifecycle management.”
As this attack illustrates, there has been a shift toward stealth-driven espionage. Attackers now rely less on malware volume. Their focus has turned to exploiting the trust woven into enterprise systems. The time has arrived to apply the zero-trust paradigm to cybersecurity defenses.
