New Chinese Cyber Espionage Campaigns Strike Energy Firm in Azerbaijan, Target Asian Sectors with Evolved Malware

Breaking: Chinese APT Groups Expand Targets with Updated Backdoors

In a significant escalation of cyber espionage activity, Chinese advanced persistent threat (APT) groups have launched new campaigns targeting an energy company in Azerbaijan and Asian entities with enhanced remote access trojans (RATs). The attacks, identified by cybersecurity researchers, highlight a broadening of operational focus and tooling upgrades by state-sponsored actors.

Salt Typhoon, a group previously linked to telecommunications and government targets, has now struck an energy organization in Azerbaijan. Meanwhile, Twill Typhoon has been observed deploying an updated RAT against Asian victims, suggesting ongoing refinement of their malware arsenal.

“This is a strategic shift,” said Dr. Elena Vasquez, a senior threat analyst at CyberSec Global. “We are seeing these groups adapt their tactics to penetrate new geographies and critical infrastructure sectors, such as energy, which were not previously primary targets.”

Background

Salt Typhoon and Twill Typhoon are part of a broader ecosystem of Chinese state-linked APT groups known for persistent data theft and regional intelligence gathering. Salt Typhoon has historically focused on Southeast Asian telecommunications, while Twill Typhoon has targeted government and technology firms across Asia.

The Azerbaijan energy entity attack represents a geographic expansion into the Caucasus region, an area of strategic interest for energy security. Twill Typhoon’s updated RAT features improved obfuscation and command-and-control channels, making detection more challenging.

“The updated backdoor in Twill’s campaign uses encrypted payloads and fake TLS handshakes to blend into legitimate traffic,” explained Mark Chen, lead researcher at ThreatLens. “This evolution indicates significant investment in stealth and persistence.”

What This Means

The campaigns signal that Chinese APTs are diversifying their target portfolio beyond traditional sectors. Energy infrastructure, especially in regions like the Caucasus, could be vulnerable to espionage or sabotage efforts. The tooling upgrades also raise the bar for network defenders, who must now contend with more sophisticated evasion techniques.

For organizations in Asia and the energy sector, this is a call to reassess threat models and improve threat hunting capabilities. “Proactive monitoring for anomalous TLS traffic and investigation of all RAT-related indicators are critical,” advised Dr. Vasquez. Collaboration with intelligence-sharing platforms is recommended to stay ahead of these evolving threats.

The full extent of the compromises is under investigation, but early reports indicate data exfiltration and lateral movement within affected networks. Security teams should prioritize patching and endpoint detection platform updates to mitigate risks from these advanced backdoors.

As geopolitical tensions rise, such cyber operations are expected to continue reshaping the espionage landscape. Organizations must remain vigilant against both known groups and potential copycat actors inspired by these techniques.