Chinese APTs Salt Typhoon and Twill Typhoon Broaden Targets and Deploy New Backdoors
Companies Mentioned
Why It Matters
The campaigns reveal a clear escalation in the sophistication and persistence of Chinese state‑sponsored actors, directly threatening sectors that underpin national economies and security. By targeting energy infrastructure in Azerbaijan—a key European gas supplier—the groups aim to exert pressure on the continent’s energy diversification efforts. The use of novel backdoors and a .NET RAT also signals a shift toward more stealthy, modular malware that can adapt to diverse environments, raising the bar for detection and response across global enterprises. For cybersecurity vendors and defenders, the findings highlight the urgency of adopting zero‑trust architectures, continuous monitoring of privileged accounts, and rapid patch management for widely exploited services like Microsoft Exchange. Failure to adapt could leave critical networks exposed to prolonged espionage and potential sabotage.
Key Takeaways
- •Salt Typhoon targeted an Azerbaijani oil and gas firm using Microsoft Exchange exploits and the Deed RAT
- •The group deployed the TernDoor backdoor disguised as LogMeIn Hamachi for persistence
- •Twill Typhoon introduced a modular .NET‑based RAT across Asia‑Pacific entities from Sep 2025 to Apr 2026
- •Campaigns spanned five continents, focusing on energy, telecom and technology sectors
- •The operations reflect heightened geopolitical pressure on European energy security
Pulse Analysis
The twin campaigns by Salt Typhoon and Twill Typhoon illustrate a maturation of Chinese APT tactics that blends classic credential‑theft methods with next‑generation malware. Historically, Chinese groups have favored information theft; these recent operations, however, prioritize foothold durability and lateral movement, suggesting a strategic pivot toward influencing critical infrastructure. The choice of a LogMeIn Hamachi masquerade points to a deeper understanding of common enterprise tools and the exploitation of trust relationships within networks.
From a market perspective, the incidents are likely to accelerate demand for advanced endpoint detection and response (EDR) solutions that can spot DLL sideloading and .NET‑based anomalies. Vendors offering threat‑intel feeds that surface indicator‑of‑compromise (IOC) patterns tied to TernDoor or the updated RAT will see heightened relevance. Moreover, the focus on Exchange servers—still a frequent attack vector despite Microsoft’s remediation guidance—reinforces the need for managed detection and response (MDR) services that provide 24/7 monitoring of email infrastructure.
Looking ahead, the geopolitical context—particularly Europe’s search for alternative gas supplies—creates a fertile ground for further APT activity. Organizations should anticipate more tailored campaigns that align with regional energy politics, and they must embed threat‑hunting capabilities that can quickly adapt to evolving backdoor signatures. The convergence of geopolitical motives and technical innovation in these campaigns sets a precedent for future state‑backed cyber operations, making proactive defense a strategic imperative.
Chinese APTs Salt Typhoon and Twill Typhoon Broaden Targets and Deploy New Backdoors
Comments
Want to join the conversation?
Loading comments...