(TLP:CLEAR) Salt Typhoon Exploits Citrix Flaw to Breach European Telecom
Created: Thursday, October 23, 2025 - 15:38
Categories: Cybersecurity, OT-ICS Security, Security Preparedness
Summary: This week, cybersecurity researchers at Darktrace observed threat actor activity in a European telecommunications company consistent with Salt Typhoon’s known tactics, techniques, and procedures (TTPs), which include dynamic-link library (DLL) sideloading and abuse of legitimate software for stealth and execution. The researchers identified the likely intrusion vector stemming from exploitation of a recent vulnerability in Citrix NetScaler Gateway (being called CitrixBleed 2). WaterISAC reported on Citrixbleed 2 in July.
Members are encouraged to remediate any Citrix appliances related to this vulnerability if they haven’t already done so.
Analyst Note: These findings indicate that Salt Typhoon continues to attack critical infrastructure using similar tactics previously observed, such as stealth, persistence, and abuse of legitimate tools. Salt Typhoon has been associated with a series of high-impact cyber campaigns directed at critical infrastructure, including water and wastewater, across more than 80 countries. The group has demonstrated long-term persistence in victim networks, using custom malware and advanced evasion techniques.
Original Source: https://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion
Additional Reading:
- Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack
- Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network
Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 8, 10, 10.2