"Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S. The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across"
"One of the malware families delivered as part of the attack is Snappybee (aka Deed RAT), a suspected successor to the ShadowPad (aka PoisonPlug) malware that has been deployed in prior Salt Typhoon attacks. The malware is launched by means of a technique called DLL side-loading, which has been adopted by a number of Chinese hacking groups over the years."
"The malware is launched by means of a technique called DLL side-loading, which has been adopted by a number of Chinese hacking groups over the years. "The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter," Darktrace said. "This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads.""
A European telecommunications organization was targeted in the first week of July 2025 when attackers exploited a Citrix NetScaler Gateway appliance to gain initial access. The intruders pivoted from that foothold to Citrix Virtual Delivery Agent hosts within the client's Machine Creation Services subnet and used SoftEther VPN to obscure their origins. The attack delivered Snappybee (aka Deed RAT), a suspected successor to ShadowPad, using DLL side-loading via legitimate antivirus executables such as Norton, Bkav, and IObit. The adversary aligns with Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC5807), an advanced persistent threat tied to China known for deep persistence and global exfiltration.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]