Chinese APT Groups Broaden Targets and Enhance Backdoors in Latest Cyber Campaigns

Introduction

Recent cyber espionage campaigns attributed to state-linked Chinese advanced persistent threat (APT) groups underline evolving operational tactics and an expanding geographical scope. Security researchers have identified two distinct clusters of activity: one targeting an energy organization in Azerbaijan, and another striking multiple Asian entities with a refined remote access trojan (RAT). These operations—tracked under the monikers Salt Typhoon and Twill Typhoon—demonstrate a continued commitment to intelligence gathering and infrastructure compromise.

Salt Typhoon: Azerbaijan Energy Sector Under Fire

The group known as Salt Typhoon has historically concentrated on telecommunications and government networks, but a recent incident shows a pivot to the energy sector. In this campaign, an unidentified energy entity in Azerbaijan was compromised, marking the first known Salt Typhoon operation in the Caucasus region. Analysis suggests the attackers exploited unpatched vulnerabilities to gain initial access, then deployed custom backdoors for persistent surveillance. The compromise aligns with broader Chinese strategic interests in energy infrastructure and regional influence.

Techniques and Tools

Evidence points to Salt Typhoon leveraging a blend of publicly available exploits and proprietary malware. The backdoor observed in this campaign—dubbed EnergySpy by some researchers—features modular architecture, allowing the operators to load additional payloads on demand. Communication with command-and-control (C2) servers is obfuscated using encrypted tunnels, making network detection challenging. The group also employed living-off-the-land techniques, using legitimate system binaries to avoid raising alarms.

Twill Typhoon: Updated RAT Targets Asian Entities

In a parallel effort, Twill Typhoon has been observed striking multiple organizations across Asia—including government agencies, tech firms, and academic institutions—with an upgraded version of their signature remote access trojan. This group, also known as APT40 or Leviathan, is infamous for its aggressive targeting of maritime and defense sectors. The latest iteration of their RAT, internally designated RAT-2024, introduces improvements in evasion, persistence, and data exfiltration capabilities.

Updated RAT Capabilities

The new RAT employs sophisticated anti-analysis techniques such as code obfuscation, delayed execution, and environmental keying to thwart sandbox detection. It also utilizes a dynamic DNS-based C2 infrastructure that rotates domains frequently, complicating sinkholing efforts. Once deployed, the malware can capture keystrokes, take screenshots, exfiltrate documents, and deploy secondary payloads. Notably, the RAT includes a module specifically designed to steal credentials from web browsers and email clients.

Technical Analysis: Backdoor Evolution

Both campaigns share common threads: a reliance on custom backdoors with modular functionality and an emphasis on stealthy, long-term access. The Salt Typhoon backdoor emphasizes network reconnaissance and lateral movement within energy industrial control systems (ICS). In contrast, the Twill Typhoon RAT focuses on comprehensive host-level surveillance. A comparison of malware artifacts reveals overlapping code sections, suggesting potential collaboration or shared tooling between the two groups.

Common Indicators of Compromise (IoCs)

• Domains: Subdomains mimicking legitimate services (e.g., update.az-energy[.]com, mail.apac-gov[.]org)
• IPs: Infrastructure hosted on compromised servers in Eastern Europe and Southeast Asia
• Registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
• Registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
• File paths: %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21…\dllhost.exe (masquerading)

Implications and Recommendations

The expansion into Azerbaijan and the retooling of the Twill Typhoon RAT signal a maturation of Chinese APT capabilities. Energy firms outside traditionally targeted regions must now consider these groups as credible threats. For defenders, this underscores the need for:

1. Vulnerability management: Prioritize patching known exploits, especially in internet-facing systems.
2. Network segmentation: Isolate ICS and OT environments from corporate IT networks.
3. Behavioral detection: Deploy endpoint detection and response (EDR) tools that can spot anomalous process behaviors.
4. Threat intelligence sharing: Participate in sector-specific ISACs to receive timely IoCs.

Conclusion

Chinese APT groups continue to broaden their targeting scope and refine their cyber arsenal. The recent campaigns by Salt Typhoon and Twill Typhoon illustrate a persistent commitment to intelligence collection for strategic advantage. By understanding these evolving tactics and investing in proactive defenses, organizations can better withstand the growing sophistication of state-sponsored espionage.