"Between December 2025 and February 2026, Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, and considered one of the most aggressive Chinese APTs, was seen targeting an Azerbaijani oil and gas company, Bitdefender reports."
"The recently observed intrusion, attributed with moderate-to-high confidence to Salt Typhoon, started with Microsoft Exchange vulnerability exploitation, followed by web shell deployment, command execution, DLL sideloading, and backdoor deployment."
"In December, the threat actor used the ProxyNotShell exploit chain for code execution on Exchange servers, deployed web shells to establish a foothold, and then deployed the Deed RAT via an updated DLL sideloading technique."
"After compromising the initial host, the attackers abused RDP to access a second server, logged in to an administrator account, and then deployed Deed RAT, likely as part of hands-on keyboard activity. Next, they used Impacket tools to compromise a third host."
China-linked Salt Typhoon campaigns expanded targets and updated malicious tooling between December 2025 and February 2026. The activity targeted a range of government, telecoms, and technology organizations across the US, Asia, the Middle East, and Africa, including an Azerbaijani oil and gas company. The shift was linked to Azerbaijan’s growing role in European energy security amid changes in Russia’s Ukraine gas transit arrangements and disruptions affecting the Strait of Hormuz. Intrusions began with Microsoft Exchange vulnerability exploitation, followed by web shell deployment, command execution, DLL sideloading, and backdoor deployment. The backdoor used a folder mimicking LogMeIn Hamachi and persistence via a masqueraded service. After initial compromise, attackers used RDP for lateral movement, then deployed Deed RAT and used Impacket tools to compromise additional hosts.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]