Recent campaigns by Chinese state-sponsored Advanced Persistent Threat (APT) groups, notably Salt Typhoon and Twill Typhoon, reveal a marked escalation in the scope and sophistication of cyber espionage operations. As reported by Bitdefender, Salt Typhoon (also tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) targeted an Azerbaijani oil and gas company between December 2025 and February 2026, exploiting Microsoft Exchange vulnerabilities like ProxyNotShell to deploy web shells, Deed RAT, and the TernDoor backdoor. This shift in focus to energy infrastructure in Azerbaijan—likely motivated by its growing role in European energy security amid disruptions in Russian gas transit and Strait of Hormuz tensions—signals a broader strategic pivot toward critical infrastructure outside traditional government and tech targets. Meanwhile, Darktrace documented Twill Typhoon (aka Bronze President, Mustang Panda) hitting Asia-Pacific and Japanese entities with a modular .NET-based RAT framework (FDMTP) from September 2025 to April 2026, using impersonated content delivery networks to execute malicious payloads via DLL sideloading.

Beyond the technical details, these campaigns reflect a deeper pattern of Chinese APTs adapting to geopolitical shifts with alarming precision. Azerbaijan’s emergence as a key energy partner for Europe, following the expiration of Russia’s Ukraine gas transit agreement in 2025, aligns with Beijing’s known interest in disrupting or surveilling alternative energy corridors that reduce Western reliance on China-friendly supply chains. This is not a random target; it’s a calculated move to gather intelligence or exert leverage over a pivot point in global energy politics. Similarly, Twill Typhoon’s focus on APJ financial and tech sectors underscores China’s intent to dominate regional economic data flows, potentially as a precursor to influence operations or supply chain disruptions. What the original coverage misses is the connective tissue: these are not isolated incidents but part of a coordinated, state-driven effort to map and manipulate global critical infrastructure—energy, finance, and tech—as leverage in an emerging multipolar order.

Historical patterns reinforce this analysis. Salt Typhoon’s tactics echo its 2021 campaigns against US telecoms, where it exploited unpatched vulnerabilities to sustain long-term access, as detailed in CISA advisories. Twill Typhoon’s modular RAT frameworks mirror Mustang Panda’s 2022 operations against Southeast Asian governments, where plugin-based malware allowed rapid adaptation to detection. What’s new here is the scale and audacity—targeting energy infrastructure in a geopolitically sensitive region like the Caucasus while simultaneously refining tools to evade modern endpoint detection in APJ. The original reporting also underplays the persistence of these APTs: Salt Typhoon’s repeated attempts to redeploy Deed RAT after removal suggest not just technical skill but a strategic imperative to maintain access at all costs, likely driven by high-level directives.

The implications are stark. These campaigns expose gaping vulnerabilities in global critical infrastructure—unpatched Exchange servers remain a weak link despite years of warnings, and legitimate tools like Windows ClickOnce are weaponized with impunity. More critically, they highlight the failure of international cybersecurity frameworks to keep pace with state-sponsored actors who operate with near-impunity. Azerbaijan’s compromise could be a testbed for larger disruptions in European energy security, while APJ financial targets suggest preparation for economic coercion. Without coordinated, preemptive defenses—such as mandatory patch enforcement, cross-border threat intelligence sharing, and sanctions tied to cyber activity—Western and allied nations risk ceding strategic ground in this shadow war.