China-Linked Malware Targets Apple and Yahoo Users with Typhoon Malware

Post Views: 7

Security Researchers Uncover Sophisticated Twill Typhoon Espionage Campaign

In a recent study, cybersecurity firm Darktrace has identified a complex espionage operation attributed to the group known as Twill Typhoon, targeting organizations in Japan and the Asia-Pacific region.

Campaign Overview

The campaign began in late September 2025 and involves the creation of fake websites mimicking well-known services such as Apple and Yahoo.
The deployment of the FDMTP malware framework to gain unauthorized access to victim systems.

Fake Websites and Content Delivery Networks (CDNs)

The attack typically begins with the establishment of a connection to a fake content delivery network (CDN), often using addresses like “yahoo-cdn.it.com.” This allows the attackers to create a convincing illusion of legitimacy.

DLL Sideloading and Malicious Files

Once the victim system connects to the fake CDN, the attackers deploy a technique called DLL sideloading, which involves loading a legitimate application and tricking it into executing a malicious DLL file simultaneously.

According to researchers, the attackers have used legitimate tools such as Sogou Pinyin, a Chinese typing tool, and Windows update tools like dfsvc.exe and vshost.exe to remain undetected within the system.

Persistence and Remote Control

To maintain persistence, the attackers utilize the FDMTP framework, which enables them to send new commands and updates to the infected system.

The “dnscfg.dll” file serves as a remote control for the attackers, allowing them to add various plugins, such as “Assist.dll” or “Persist.WpTask.dll,” to perform diverse tasks.

Recommendations and Expert Insights

Researchers emphasize that the success of this campaign relies on the attackers’ ability to blend in with legitimate system activities, making traditional indicators of compromise less effective.

Jason Soroko, a Senior Fellow at Sectigo, recommends shifting the focus from detecting individual malicious files to recognizing behavioral execution sequences.

Shane Barney, the Chief Information Security Officer at Keeper Security, notes the importance of managing access and monitoring to limit potential damage in case of a system compromise.

Heath Renfrow, Co-Founder and CISO at Fenix24, warns that organizations relying solely on outdated defense mechanisms will struggle to stay secure as technology becomes increasingly automated.