Salt Typhoon Citrix NetScaler Gateway campaign targeting critical sectors
Campaign
Summary
Hide ▲
Show ▼
Salt Typhoon is continuing a long-running intrusion campaign that uses Citrix NetScaler Gateway exploitation to reach telecommunications, energy, and government systems across more than 80 countries. The activity matters because it combines stealthy follow-on tradecraft with repeated access attempts against critical sectors. A July 2025 intrusion path showed DLL sideloading and SNAPPYBEE / Deed RAT used to stay hidden. The campaign has been active since at least 2019, underscoring a durable global threat.
Related Happenings
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Campaign
First: 17.12.2025 20:45
Last: 17.12.2025 20:45
Sources 1
About this happening:
The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
CampaignAbout this happening: The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...
TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks
Malware Activity
First: 18.11.2025 14:54
Last: 18.11.2025 14:54
Sources 1
About this happening:
The deployment of **TWOSTROKE** and **DEEPROOT** gave attackers persistent backdoor access for **reconnaissance**, **command execution**, and **data theft** against targeted organ...
TWOSTROKE and DEEPROOT backdoor deployment in Middle East attacks
Malware ActivityAbout this happening: The deployment of **TWOSTROKE** and **DEEPROOT** gave attackers persistent backdoor access for **reconnaissance**, **command execution**, and **data theft** against targeted organ...
RondoDox botnet exploitation of XWiki CVE-2025-24893
Malware Activity
First: 15.11.2025 18:35
Last: 15.11.2025 18:35
Sources 1
About this happening:
The **RondoDox** botnet has begun **targeting unpatched XWiki instances** through **CVE-2025-24893**, expanding its reach and putting vulnerable servers at risk of **botnet recrui...
RondoDox botnet exploitation of XWiki CVE-2025-24893
Malware ActivityAbout this happening: The **RondoDox** botnet has begun **targeting unpatched XWiki instances** through **CVE-2025-24893**, expanding its reach and putting vulnerable servers at risk of **botnet recrui...
Timeline
-
20.10.2025 15:15 2 articles · 7mo ago
Salt Typhoon Citrix NetScaler Gateway campaign targeting critical sectors
Initial DisclosureThe campaign phase became visible in **July 2025**, when intrusion activity against a **European telecommunications organization** began with **Citrix NetScaler Gateway** exploitation.
Show sources
- Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack — www.infosecurity-magazine.com — 20.10.2025 15:15
- Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack — www.infosecurity-magazine.com — 20.10.2025 15:15