Twill Typhoon RAT Campaign Uses DLL Side Loading to Target APJ Networks

A stealthy cyber espionage operation is actively targeting organizations across the Asia-Pacific region. Specifically, security researchers recently uncovered a sophisticated Twill Typhoon RAT campaign executing stealthy intrusions. This threat group mimics legitimate cloud infrastructure to deceive local network defenders. Furthermore, the attackers deploy custom implants to maintain persistent access within compromised corporate environments. Consequently, security teams must analyze these complex behavioral patterns to defend their endpoints effectively.

Unveiling the Intrusion Chain

The malicious actors carefully coordinate their infrastructure to mask internal communication channels. For instance, the adversary routes data traffic through domains impersonating popular content delivery networks. These lookalike platforms masquerade as trusted Yahoo and Apple services to blend with normal network data. According to Darktrace, this activity began in late September 2025. Therefore, defenders cannot rely purely on standard domain reputation lists to catch these advanced threats.

The Sideloading Sequence

To establish a foothold, the threat actors execute a highly predictable sequence of actions. First, the team observes the retrieval of a legitimate executable from external infrastructure. Subsequently, the system downloads a matching configuration file alongside a specialized payload. This malicious payload relies extensively on DLL side loading tradecraft to bypass routine validation controls. Darktrace reported a very precise behavioral execution pattern across all affected customer environments.

Analyzing the .NET Payload Architecture

Once the legitimate binary launches, it automatically pulls the malicious component into its own memory space. This process executes a modular, Microsoft .NET-based Remote Access Trojan framework silently. To maintain optimal performance, the malware utilizes an internal update marker file named version.txt. Additionally, the program deploys a system mutex to prevent multiple identical instances from running simultaneously. Thus, the implant optimizes its local footprint to avoid triggering resource alerts. Furthermore, this internal framework allows the threat actors to run custom commands without generating noisy file footprints on the endpoint.

Memory-Only Code Execution

The core functionality of the backdoor relies on executing assemblies directly within the system RAM. Specifically, the framework reads raw binary streams and “loads the decrypted assembly directly from memory via Assembly.Load(byte[])”. This sophisticated mechanism ensures that the main malware components never touch the physical hard drive. Furthermore, a local encrypted file named checksum.etl handles the decryption process using the AES standard. Consequently, the routine successfully drops another modular library into the active process workspace.

Command and Control Mechanics

After completing the internal setup, the backdoor attempts to register itself with the external attack handlers. Specifically, the program initiates outward communications by targeting a highly specific application endpoint on the server. As highlighted by analysts, the standard operational flow requires “C2 registration via /GetCluster” to receive instructions. Meanwhile, the framework continuously reaches out to retrieve updated payloads to expand its local capabilities. Therefore, this persistent behavior highlights the long-term strategic goals of this specific Twill Typhoon RAT campaign.

Broader Context and Tradecraft Patterns

The tactical methods observed during these recent incidents perfectly mirror historical state-sponsored activities. Security experts note that “this approach is consistent with broader China-nexus tradecraft”. For instance, these groups regularly build modular intrusion chains using dual-use commercial applications. However, individual command infrastructure and final file indicators can rotate rapidly during live operations. Therefore, defenders must pivot away from static indicators and focus heavily on behavioral anomalies instead.

Strengthening Organizational Defense

To counter these sophisticated threats, corporate defenders must establish robust behavioral detection baselines. For example, organizations should carefully monitor any unexpected process creation events involving trusted system binaries. Additionally, tracking unusual outbound connections to suspected content delivery domains can expose hidden communication lines. However, traditional security solutions often miss these memory-only modifications completely. Ultimately, because network indicators change rapidly, “detection anchored to individual indicators will degrade quickly”.