Chinese state-sponsored hacking groups Salt Typhoon and Twill Typhoon have been conducting sustained campaigns with updated tools and expanded targets between late 2025 and early 2026. Salt Typhoon notably shifted focus to target an Azerbaijani oil and gas company, exploiting the country's growing importance in European energy security following disruptions in Russian gas transit and the Strait of Hormuz. Both groups demonstrated persistent access techniques, with Salt Typhoon repeatedly deploying backdoors like Deed RAT and TernDoor over multiple months, and Twill Typhoon using a new modular RAT framework disguised through legitimate services across the Asia-Pacific region.