SECURITYWEEK reports that Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, expanded its targets to include an Azerbaijani energy company, with Bitdefender noting the activity between December 2025 and February 2026. The campaign allegedly shifted from Salt Typhoon’s typical activity to target government, telecoms, and technology entities across the US, Asia, the Middle East, and Africa, in what Bitdefender describes as a sustained and adaptive operation.
The intrusion chain began with Microsoft Exchange vulnerability exploitation, followed by web shell deployment, command execution, DLL sideloading, and backdoor deployment, with the backdoor hidden in a folder mimicking a legitimate LogMeIn Hamachi installation. After compromising the initial host, the attackers used RDP to reach a second server, logged into an administrator account, and deployed Deed RAT, later deploying the TernDoor backdoor a month later, linked to Salt Typhoon by Cisco’s Talos researchers.
At the end of February, they attempted to redeploy Deed RAT using the same execution chain and later redeployed again. Twill Typhoon, observed by Darktrace beginning September 2025 and continuing through at least April 2026, targeted APJ-region entities with an updated modular .NET-based RAT framework and DLL sideloading, enabling a range of backdoor capabilities through a new RAT framework dubbed FDMTP.