Organizations across Japan and the Asia-Pacific region are facing a surge of cyberattacks attributed to a group known as Twill Typhoon. These attacks, which began in late September 2025, have raised alerts among cybersecurity experts at Darktrace, who note that the attackers employ sophisticated tactics to masquerade as legitimate services, including familiar brands like Apple and Yahoo.
The intrusion was initially identified when multiple computers started linking to counterfeit websites designed to mimic content delivery networks (CDNs). A report released today elaborated on this incident, revealing that a finance company became a target in April 2026. During this breach, the attackers maintained access to the organization’s systems for 11 days using deceptive addresses such as yahoo-cdn.it.com.
Mechanism of the Attack
The cybercriminals utilize a technique known as DLL sideloading, which involves misleading a genuine software application into executing a hidden, malicious file concurrently. A notable example cited by researchers involved a ZIP file titled test.zip, which contained a legitimate Chinese typing tool called Sogou Pinyin. When users executed this benign program, it inadvertently activated a disguised file named browser_host.dll, allowing the attackers to seize control.
Further investigation confirmed that the hackers exploit these legitimate Windows utilities to evade detection. They leveraged common components such as the Windows update tool dfsvc.exe and the developer utility vshost.exe. Because these are recognized elements of the operating system, they often fail to trigger security alerts, enabling the attackers to gather sensitive information, including user identities, installed antivirus solutions, and hardware specifications immediately after infiltrating the system.
Maintaining Access
Researchers believe that the hackers aim to sustain prolonged access to the compromised systems, employing a framework known as FDMTP. This framework enables them to dispatch new commands and updates to the infected machines. A specific file discovered, called dnscfg.dll, functions as a remote control, allowing attackers to introduce additional modules, such as Assist.dll or Persist.WpTask.dll, for diverse tasks.
To avoid losing access post-reboot, the intruders establish scheduled tasks and obscure code within the computer’s registry. This setup allows the malware to periodically check in with a fraudulent domain, icloud-cdn.net, to receive updated commands every five minutes. Researchers have noted that the design of these intrusions does not rely on a single entry point, which provides the attackers flexibility to modify or replace their tools, thereby remaining undetected for extended periods. Darktrace emphasizes that understanding the attackers’ behavior is crucial in counteracting their activities.
Cybersecurity Perspectives
Cybersecurity leaders have expressed their views on this evolving threat landscape, highlighting how these attacks are adapting over time. Jason Soroko, a Senior Fellow at Sectigo, pointed out that these hackers are increasingly manipulating the trust users place in everyday applications. He noted, “Modern intrusions closely mimic typical developer behavior, leading to rapid degradation of traditional static indicators of compromise.” Soroko advises security teams to focus more on identifying behavioral patterns rather than merely cataloging harmful files.
Shane Barney, Chief Information Security Officer at Keeper Security, concurred that the adaptability of the attackers is alarming, especially as they manage to maintain prolonged access while continuously evolving their methods. He emphasized the necessity for organizations to monitor and regulate access effectively to mitigate potential damage in the event of a system breach.
Furthermore, Heath Renfrow, Co-Founder and CISO at Fenix24, warned that these operations are engineered for resilience, capable of persevering even if certain aspects of the attack are neutralized. He cautions that as technology becomes more automated, those relying solely on traditional defense mechanisms may find it increasingly challenging to safeguard their operations.