Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns

The latest disclosures from Bitdefender and Darktrace reveal that two of China’s most prolific state‑sponsored groups—Salt Typhoon and Twill Typhoon—have broadened their target sets while refreshing their malware arsenals. Salt Typhoon leveraged the ProxyNotShell chain to compromise Microsoft Exchange servers, then delivered the Deed RAT through a DLL‑sideloader hidden in a counterfeit LogMeIn Hamachi folder. Months later the group resurfaced with the TernDoor backdoor, illustrating a multi‑stage, persistent approach. Meanwhile Twill Typhoon introduced a modular .NET RAT called FDMTP, using legitimate ClickOnce and CDN‑hosted binaries to evade detection.

The campaigns intersect with shifting geopolitical dynamics. Salt Typhoon’s focus on an Azerbaijani oil‑and‑gas firm reflects Azerbaijan’s emerging role as a European energy conduit after Russia’s gas‑transit agreement lapsed. By probing government, telecom and technology entities across the United States, Asia and Africa, the group seeks leverage over critical infrastructure. Twill Typhoon’s activity in the Asia‑Pacific, especially Japan’s financial sector, aligns with China’s strategic interest in regional economic data. Both operations underscore how state‑aligned actors exploit supply‑chain trust and legitimate services to infiltrate high‑value networks.

Enterprises must treat these findings as a call to harden their attack surface. Continuous monitoring for ProxyNotShell signatures, anomalous DLL sideloading, and unexpected ClickOnce launches can surface early indicators. Deploying multi‑factor authentication on privileged accounts and isolating Exchange servers from the internet reduce the initial foothold. Finally, threat‑intel sharing across sectors will help organizations anticipate the modular payload updates that APTs now deploy, turning the adaptive tradecraft of Chinese groups into a manageable risk rather than an inevitable breach. Proactive threat‑hunting and zero‑trust network segmentation further reduce exposure.