Chinese APTs Salt Typhoon and Twill Typhoon Strike Energy, Telecom, and Financial Sectors with Updated Backdoors
Chinese state-sponsored groups Salt Typhoon and Twill Typhoon have been observed in recent campaigns targeting energy, telecom, and financial entities with updated backdoors and a new modular RAT framework.
Chinese state-sponsored hacking groups have expanded their targeting and updated their malware arsenals in two parallel campaigns observed between late 2025 and early 2026. Security firms Bitdefender and Darktrace have detailed intrusions by Salt Typhoon and Twill Typhoon, respectively, that demonstrate sustained access, tool evolution, and a strategic pivot toward energy and financial sector targets.
Salt Typhoon, also tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, was observed between December 2025 and February 2026 targeting an Azerbaijani oil and gas company. According to Bitdefender, the campaign exploited Microsoft Exchange vulnerabilities using the ProxyNotShell exploit chain to gain initial access. The attackers deployed web shells, then used DLL sideloading to install the Deed RAT backdoor, hidden inside a folder mimicking legitimate LogMeIn Hamachi software. Persistence was achieved through a service masquerading as LogMeIn Hamachi that launched at system startup.
After compromising the initial host, the attackers abused RDP to move laterally to a second server, logged in with an administrator account, and deployed Deed RAT again. They then used Impacket tools to compromise a third host. When the malware was removed from at least one host, the hackers returned a month later and deployed the TernDoor backdoor, previously linked to Salt Typhoon by Cisco Talos. In late February, the APT accessed the victim environment again, attempting to redeploy Deed RAT using the same execution chain. Bitdefender noted that the intrusion was "not an isolated compromise, but a sustained and adaptive operation" with multiple waves of activity.
The targeting of Azerbaijan is significant, as the country has become a strategic energy partner for European nations following Russia's Ukraine gas transit agreement expiration and recent Strait of Hormuz disruptions. This shift in geopolitical dynamics appears to have placed Azerbaijani energy infrastructure in the crosshairs of Chinese state-sponsored espionage.
Separately, Darktrace observed the China-linked APT Twill Typhoon (also known as Bronze President, Camaro Dragon, Earth Preta, Mustang Panda, and TA416) targeting entities in the Asia-Pacific and Japan (APJ) region from September 2025 through at least April 2026. The group deployed an updated arsenal including a modular .NET-based RAT framework dubbed FDMTP. Multiple infected hosts were seen making requests to domains impersonating content delivery networks, including Yahoo and Apple services, retrieving legitimate binaries alongside matching .config files and malicious DLLs.
The attack chain relied on DLL sideloading, a hallmark of China-nexus campaigns, to execute the FDMTP RAT. The attackers used Visual Studio hosting and the legitimate Windows ClickOnce engine to ensure execution. The modular framework supports system fingerprinting, command execution, Windows task manipulation, registry persistence management, process manipulation, and file and command retrieval. Darktrace noted that the intrusions are "not dependent on a single foothold, but distributed across components that can be updated, replaced, or reloaded independently," consistent with broader China-nexus tradecraft.
These campaigns highlight the persistent and adaptive nature of Chinese state-sponsored cyber operations. Both groups continue to refine their tools and techniques, leveraging legitimate software and services to evade detection while targeting critical infrastructure and financial organizations. Organizations in the energy, telecom, and financial sectors should remain vigilant, apply patches promptly, and monitor for signs of DLL sideloading and unusual outbound connections to impersonated domains.