Salt Typhoon targets Citrix NetScaler gateway at European telecom

A European telecom firm was attacked using the same dynamic-link library (DLL) sideloading and stealth and execution techniques as China-linked Salt Typhoon.

In an Oct. 20 blog post, Darktrace researchers said the intrusion likely began with the exploitation of a Citrix NetScaler gateway appliance in the first week of July 2025.

The researchers said the attackers then pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet.

Active since at least 2019, Salt Typhoon — also tracked as Earth Estries, GhostEmperor, and UNC2286 — has demonstrated advanced capabilities in exploiting edge devices, maintaining deep persistence, and exfiltrating sensitive data across more than 80 countries.

While much of the public reporting has focused on U.S. targets, Salt Typhoon’s operations have extended into Europe, the Middle East, and Africa, where it has targeted telecoms, government agencies, and technology companies, primarily exploiting flaws in Ivanti, Fortinet, and Cisco networking products, along with the Citrix gear in the most recent case.

“Organizations should expect stealthy activity that blends with normal operations when facing Salt Typhoon,” said Jason Soroko, senior fellow at Sectigo. “The actor favors DLL sideloading and the misuse of legitimate software to achieve execution and cover tracks, often hiding behind infrastructure that looks like SoftEther VPN traffic.”

Soroko said security teams should prioritize rapid patching and hardening of NetScaler, strict access controls on VDI, and segmentation that limits lateral movement from MCS subnets. Teams should hunt for unusual DLL loads by trusted binaries, unexpected processes from service hosts, and odd parentage in processes that touch network or credential material.

Here's a checklist for security teams from Soroko: