Darktrace researchers have uncovered a suspected China-nexus cyber-espionage campaign linked to the Twill Typhoon threat group targeting organizations across the Asia-Pacific and Japan (APJ) region. The operation, first observed in late September 2025, leveraged CDN impersonation, DLL sideloading, and modular malware delivery to deploy a sophisticated .NET-based remote access trojan (RAT).
According to Darktrace, compromised hosts were seen making HTTP GET requests to domains masquerading as legitimate content delivery network infrastructure, including Yahoo- and Apple-themed lookalike services. The intrusion chain involved attackers delivering a legitimate executable, a matching .config file, and a malicious DLL designed for sideloading into the trusted process.
An observed malware archive called “test.zip,” contained the legitimate Chinese IME executable “biz_render.exe” from Sogou Pinyin alongside a malicious DLL named “browser_host.dll.” Because the executable normally loads a DLL of the same name using the Windows API function LoadLibraryExW, attackers were able to hijack execution flow by substituting the malicious library.
Once executed, the sideloaded DLL downloaded additional components including “dfsvc.exe” and “dnscfg.dll.” The attackers abused dfsvc.exe (a legitimate Microsoft ClickOnce deployment utility) and a modified dfsvc.exe.config file that disabled logging and forced the application to load the malicious dnscfg.dll during initialization through a custom AppDomainManager.
Darktrace said the dnscfg.dll payload, internally identified as “Client.TcpDmtp.dll,” is a heavily obfuscated .NET backdoor that dynamically generates portions of its logic at runtime. The malware communicates with command-and-control (C&C) infrastructure over custom TCP channels using DMTP (Duplex Message Transport Protocol) and appears to be an updated variant of the FDMTP framework, version 3.2.5.1.
To maintain persistence, attackers created a scheduled task pointing to %APPDATA%LocalMicrosoftWindowsAppsdfsvc.exe. Researchers also observed repeated DLL downloads and ongoing C&C traffic throughout affected environments.
Although the initial access vector was not directly observed, researchers noted that previous Twill Typhoon intrusions have relied on spear-phishing campaigns.