Salt Typhoon and Twill Typhoon Expand Operations via Updated Backdoors

Recent intelligence reports, according to SecurityWeek, highlight a significant geographic and technical expansion of Chinese APT activity. Specifically, two prominent threat clusters—Salt Typhoon and Twill Typhoon—have refreshed their technical arsenals to target critical infrastructure in Azerbaijan and various government sectors across Asia. This shift indicates a heightened focus on strategic intelligence gathering within the energy sector and regional geopolitical interests.

Analysis of Salt Typhoon’s Azerbaijan Campaign

Salt Typhoon, a sophisticated threat actor often associated with the group known as GhostEmperor or FamousSparrow, has been identified targeting a major energy entity in Azerbaijan. This operation marks a notable diversification of their typical target profile, moving deeper into the Caspian region’s industrial controls and energy management interests. The group typically employs the SparrowDoor backdoor, a custom malware strain that provides the attackers with full control over the compromised system, including file manipulation and shell execution.

How to Detect SparrowDoor Backdoor Activity

Defenders seeking methods on how to detect SparrowDoor backdoor activity should focus on identifying anomalous service creation and unexpected network connections to uncommon C2 IP ranges. Salt Typhoon frequently utilizes a service-based persistence mechanism, often masquerading as legitimate Windows update services or driver utilities. Monitoring for unauthorized API calls related to Windows Service Control Manager is a high-fidelity TTP for uncovering this backdoor before it facilitates Lateral Movement within the internal network.

Twill Typhoon’s Updated Backdoor Operations in Asia

Twill Typhoon (also tracked as TAG-74 or Earth Estries) has simultaneously intensified its operations across Asia. This group is known for its focus on government, defense, and research institutions. Recent telemetry suggests that the group has updated its custom [Remote Access Trojan] (RAT) variants to bypass modern EDR solutions. These updates focus on obfuscating the communication protocols between the infected host and the attacker-controlled C2 infrastructure.

The Twill Typhoon Asian government exfiltration campaigns often begin with the compromise of edge-facing applications. Once inside, the actors deploy a multi-stage loading process designed to minimize the footprint on the disk. By staying resident in memory, the updated backdoors significantly reduce the likelihood of detection by traditional signature-based security tools. The objective remains clear: the long-term collection of diplomatic communications and sensitive national security data.

Defending Against Salt Typhoon Energy Sector Targeting

As the threat landscape shifts toward critical infrastructure, organizations must move beyond reactive security measures. Salt Typhoon energy sector targeting strategies often exploit vulnerabilities in external-facing assets or use stolen credentials to bypass the perimeter. To mitigate these risks, organizations should prioritize the following actions:

• Comprehensive Logging: Ensure that all endpoint and network logs are centralized in a SIEM to allow for the correlation of subtle IoC signals that may indicate a stealthy backdoor.
• Identity Security: Implement Zero Trust principles, particularly for administrative access. Multi-factor authentication (MFA) must be enforced across all remote access points to prevent credential-based entry.
• Network Segmentation: Isolate industrial control systems and sensitive data repositories from general business networks to prevent an initial APT compromise from reaching mission-critical assets.

The expansion of these Chinese-nexus actors suggests a long-term commitment to maintaining visibility within foreign energy and government sectors. Continuous monitoring and proactive threat hunting are the only reliable defenses against these evolving state-sponsored backdoors.