Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns

China-linked state-sponsored hackers have been observed expanding their targets and updating malicious tools in fresh campaigns that either follow known patterns or adapt to current political events.

Between December 2025 and February 2026, Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, and considered one of the most aggressive Chinese APTs, was seen targeting an Azerbaijani oil and gas company, Bitdefender reports.

The campaign marked a shift from typical Salt Typhoon activity and was apparently aimed at government, telecoms, and technology entities in the US, Asia, the Middle East, and Africa, likely triggered by Azerbaijan’s recently increased role in European energy security.

According to Bitdefender, as a result of Russia’s Ukraine gas transit agreement expiration and the recent Strait of Hormuz disruptions, Azerbaijan has become a strategic energy partner for European countries, putting it in APT crosshairs.

The recently observed intrusion, attributed with moderate-to-high confidence to ...