Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns
Chinese state-sponsored APT groups Salt Typhoon and Twill Typhoon have expanded their targeting and updated their backdoor malware in recent campaigns. Salt Typhoon targeted an Azerbaijani energy company using Microsoft Exchange exploits, web shells, DLL sideloading, and RAT backdoors such as Deed RAT and TernDoor. The group demonstrated sustained access attempts and adaptive operations over multiple months. Twill Typhoon targeted Asia-Pacific entities with a modular . NET RAT framework (FDMTP) using DLL sideloading and legitimate Windows components to execute malware. Both campaigns reflect evolving tradecraft and persistent targeting of strategic sectors.
AI Analysis
Technical Summary
Between December 2025 and February 2026, Salt Typhoon (UNC2286) targeted an Azerbaijani oil and gas company, exploiting Microsoft Exchange vulnerabilities (ProxyNotShell) to deploy web shells, execute commands, and install backdoors including Deed RAT and TernDoor. The attackers used DLL sideloading and masqueraded persistence mechanisms to maintain footholds, later moving laterally via RDP and Impacket tools. The campaign was motivated by Azerbaijan's increased role in European energy security. Concurrently, from September 2025 to at least April 2026, Twill Typhoon (TA416) targeted Asia-Pacific organizations using an updated modular .NET RAT framework (FDMTP) delivered via DLL sideloading and leveraging legitimate binaries and Windows ClickOnce for execution. The RAT supports extensive backdoor capabilities and modular plugin updates, consistent with China-linked APT tradecraft. Both campaigns show adaptive, multi-wave intrusions with repeated access attempts and evolving payloads.
Potential Impact
The campaigns enable persistent unauthorized access to targeted organizations, including critical infrastructure in Azerbaijan and entities in the Asia-Pacific region. The attackers achieved initial compromise via exploitation of Microsoft Exchange vulnerabilities and maintained persistence through sophisticated backdoors and DLL sideloading techniques. The modular RATs allow extensive system control, including command execution, system fingerprinting, registry manipulation, and file retrieval. These intrusions pose risks of espionage, data exfiltration, and potential disruption to strategic sectors such as energy and finance.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance regarding the exploited Microsoft Exchange vulnerabilities. Organizations should apply all relevant security updates for Microsoft Exchange and monitor for indicators of compromise related to ProxyNotShell and web shell deployments. Given the use of DLL sideloading and masqueraded persistence, endpoint detection and response solutions should be tuned to detect anomalous DLL loads and suspicious service creations. Network segmentation and restricting RDP access can help limit lateral movement. Since no official fix or vendor advisory is provided in this data, continuous monitoring and applying best practices for Exchange security are recommended.
Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns
Description
Chinese state-sponsored APT groups Salt Typhoon and Twill Typhoon have expanded their targeting and updated their backdoor malware in recent campaigns. Salt Typhoon targeted an Azerbaijani energy company using Microsoft Exchange exploits, web shells, DLL sideloading, and RAT backdoors such as Deed RAT and TernDoor. The group demonstrated sustained access attempts and adaptive operations over multiple months. Twill Typhoon targeted Asia-Pacific entities with a modular . NET RAT framework (FDMTP) using DLL sideloading and legitimate Windows components to execute malware. Both campaigns reflect evolving tradecraft and persistent targeting of strategic sectors.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Between December 2025 and February 2026, Salt Typhoon (UNC2286) targeted an Azerbaijani oil and gas company, exploiting Microsoft Exchange vulnerabilities (ProxyNotShell) to deploy web shells, execute commands, and install backdoors including Deed RAT and TernDoor. The attackers used DLL sideloading and masqueraded persistence mechanisms to maintain footholds, later moving laterally via RDP and Impacket tools. The campaign was motivated by Azerbaijan's increased role in European energy security. Concurrently, from September 2025 to at least April 2026, Twill Typhoon (TA416) targeted Asia-Pacific organizations using an updated modular .NET RAT framework (FDMTP) delivered via DLL sideloading and leveraging legitimate binaries and Windows ClickOnce for execution. The RAT supports extensive backdoor capabilities and modular plugin updates, consistent with China-linked APT tradecraft. Both campaigns show adaptive, multi-wave intrusions with repeated access attempts and evolving payloads.
Potential Impact
The campaigns enable persistent unauthorized access to targeted organizations, including critical infrastructure in Azerbaijan and entities in the Asia-Pacific region. The attackers achieved initial compromise via exploitation of Microsoft Exchange vulnerabilities and maintained persistence through sophisticated backdoors and DLL sideloading techniques. The modular RATs allow extensive system control, including command execution, system fingerprinting, registry manipulation, and file retrieval. These intrusions pose risks of espionage, data exfiltration, and potential disruption to strategic sectors such as energy and finance.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance regarding the exploited Microsoft Exchange vulnerabilities. Organizations should apply all relevant security updates for Microsoft Exchange and monitor for indicators of compromise related to ProxyNotShell and web shell deployments. Given the use of DLL sideloading and masqueraded persistence, endpoint detection and response solutions should be tuned to detect anomalous DLL loads and suspicious service creations. Network segmentation and restricting RDP access can help limit lateral movement. Since no official fix or vendor advisory is provided in this data, continuous monitoring and applying best practices for Exchange security are recommended.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/chinese-apts-expand-targets-update-backdoors-in-recent-campaigns/","fetched":true,"fetchedAt":"2026-05-14T12:21:37.034Z","wordCount":1284}
Threat ID: 6a05be51ec166c07b0d72416
Added to database: 5/14/2026, 12:21:37 PM
Last enriched: 5/14/2026, 12:21:47 PM
Last updated: 5/14/2026, 1:27:25 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.