Twill Typhoon Exploits CDN Masquerading and DLL Sideloading to Breach APJ Networks
Ddos 
Obfuscated script in plugin resources | Image: Darktrace
A sophisticated, highly targeted cyber-espionage campaign is actively penetrating corporate and critical infrastructure networks across the Asia-Pacific and Japan (APJ) region.
An intensive threat intelligence report from Darktrace has exposed the operation, attributing the malicious footprint to the prominent Chinese state-sponsored threat actor tracked as Twill Typhoon. By hiding its command-and-control (C2) channels behind the mask of mainstream content delivery networks (CDNs) and leveraging trusted, legitimate business software to execute its payloads, the group has successfully avoided traditional perimeter alarms.
The defining tactical strength of this campaign lies in its reliance on trusted execution frameworks rather than custom-built, signature-heavy software. To slip past static file inspection and endpoint detection and response (EDR) agents, Twill Typhoon relies heavily on DLL sideloading.
Rather than deploying an obviously malicious standalone executable, the threat actors download a perfectly safe, commercially signed binary alongside a poisoned configuration file and a malicious Dynamic Link Library (DLL). When the legitimate application runs, it reads its companion configuration file and inadvertently pulls the malicious code directly into its trusted memory space.
Darktrace researchers observed a highly structured, repeatable blueprint used by the group to compromise hosts:
“Across cases, the same ordered sequence appears: (1) retrieval of a legitimate executable, (2) retrieval of a matching .config file, (3) retrieval of the malicious DLL, (4) repeated DLL downloads over time, and (5) command-and-control (C2) communication. The .config file retrieves a malicious binary, while the legitimate binary provides a legitimate process to run it in.”
Once the modular .NET Remote Access Trojan (RAT) establishes its foothold in the memory of the compromised system, it must communicate back to the attackers to receive tasks and exfiltrate information.
To hide this outbound traffic, Twill Typhoon completely changes the conventional C2 playbook. Instead of connecting to raw, unverified external IP addresses or newly registered domains—which would immediately trigger security alerts—the malware steers its traffic toward domains specifically engineered to look like mainstream content delivery networks.
Darktrace’s forensic logging captures this stealthy network behavior:
“Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services.”
By routing its web queries through endpoints like icloud-cdn[.]net, the malware blends in with standard background traffic, looking to a network administrator like a routine software update or a user browsing a media platform.
The core .NET RAT framework is designed to stay persistent and adapt to changing conditions inside the target network.
Every five minutes, the hijacked process wakes up, calls out to its CDN-masked infrastructure, and checks a text file named version.txt to verify if a new payload is available. If the remote version string matches, the malware downloads a fresh encrypted binary blob named checksum.bin, saving it locally into hidden log paths like C:\ProgramData\USOShared\Logs\checksum.etl.
The malware immediately decrypts this file in memory using Advanced Encryption Standard (AES) with a hardcoded key (POt_L[Bsh0=+@0a.), natively loading the inside assembly. Darktrace records the ultimate stage of this execution tree:
“Checksum.etl is decrypted with AES and loaded into memory, loading another .NET DLL named ‘Client.dll’. This binary is the same as ‘dnscfg.dll’ mentioned at the start and allows the threat actors to update the main framework…”
This architecture allows Twill Typhoon to dynamically swap out its capability modules on the fly—injecting keyloggers, credential dumpers, or lateral movement tools into the active host process without ever needing to restart the primary service or drop new unencrypted files onto the physical hard drive.
The subtle, living-off-the-land nature of Twill Typhoon’s campaign makes classic signature-based blacklists functionally obsolete. Because the threat leverages legitimate software binaries and trusted CDN-adjacent web paths, network defenders must look for behavioural anomalies.
Corporate security teams are strongly advised to enforce strict application allowlisting to prevent the execution of unvetted binaries in writable directories, closely monitor internal process trees for legitimate system tools loading unverified third-party DLLs, and implement deep packet inspection to flag anomalous or persistent SSL connections targeting newly observed CDN lookalike domains.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
