Chinese state-sponsored cyber groups have been observed expanding their global targets while updating hacking tools in recent operations. These campaigns either adhere to past patterns or adapt in response to current geopolitical dynamics, according to recent cybersecurity reports.
Recent Campaigns Targeting Key Sectors
From December 2025 to February 2026, Salt Typhoon, also identified as Earth Estries, FamousSparrow, and several other aliases, targeted an Azerbaijani oil and gas company, as reported by Bitdefender. This marks a notable shift in Salt Typhoon’s focus, which traditionally involved government and telecom sectors across the US, Asia, the Middle East, and Africa. Azerbaijan’s increasing significance in European energy security, especially after disruptions like the expiration of Russia’s Ukraine gas transit agreement, may have prompted this targeting.
The attack utilized Microsoft Exchange vulnerabilities to deploy web shells and execute commands, eventually leading to DLL sideloading and backdoor deployment. The initial compromise involved the ProxyNotShell exploit chain, and the attackers used a deceptive folder named after LogMeIn Hamachi for persistence, launching services at system startup.
Intricate Tactics and Persistence
Once inside, Salt Typhoon manipulated Remote Desktop Protocol (RDP) to move laterally within the compromised network, gaining administrative access to deploy further malware. A month post initial removal, the attackers re-entered, deploying the TernDoor backdoor, as noted by Cisco Talos researchers. This continuous infiltration highlights the group’s persistence and adaptability in maintaining and regaining access.
Bitdefender emphasizes that these actions represent a sustained effort rather than isolated incidents, with the attackers continually revisiting access points and introducing new payloads to strengthen their hold.
Twill Typhoon’s Enhanced Arsenal
Another China-linked group, Twill Typhoon, also known as Bronze President, has been active from September 2025 to at least April 2026, targeting the Asia-Pacific and Japan regions. Darktrace reports this group has upgraded its tools, incorporating a modular .NET-based RAT framework.
Compromised systems frequently communicated with domains mimicking CDNs like Yahoo and Apple, retrieving legitimate binaries and malicious components. This sequence, typical of Chinese campaigns, leads to a new RAT framework called FDMTP via DLL sideloading. Attacks in late 2025 and early 2026 saw repeated retrievals of malicious components, underlining the group’s strategic use of legitimate systems like Visual Studio and Windows ClickOnce for malware deployment.
This modular RAT supports various functions, including system fingerprinting, command execution, and persistence through registry manipulation, showcasing the flexibility and sophistication of China-nexus cyber techniques.
Overall, these campaigns illustrate the evolving tactics of Chinese state-sponsored hackers, emphasizing the importance of robust cybersecurity measures and international cooperation to counter such persistent threats.
