Microsoft Threat Intelligence has warned of a shift in tactics by Silk Typhoon, a Chinese espionage group that is now exploiting vulnerabilities in common IT solutions—including remote management tools and cloud applications—to gain initial access to target entities.
The software giant says it has not observed direct attacks against its cloud services, but has seen the group exploiting unpatched applications to escalate access and conduct malicious activities within compromised networks.
Once inside, Silk Typhoon uses stolen credentials to get a foothold in customer environments, abusing a range of deployed applications—including Microsoft services—for cyberespionage.
A Well-Resourced and Expansive Threat
Silk Typhoon is among the most technically capable Chinese state-affiliated cyber groups, with a proven ability to quickly exploit zero-day vulnerabilities in edge devices. Its operations span multiple sectors and regions, targeting IT services, remote monitoring and management (RMM) companies, managed service providers (MSPs), healthcare, legal services, higher education, defense, government, NGOs, and energy sectors—mostly in the US but globally, too.
Since Microsoft began tracking Silk Typhoon in 2020, the group has employed sophisticated techniques, including using web shells to execute commands, maintain persistence, and exfiltrate data from victims’ networks. The group’s expertise in cloud environments enables it to move laterally, sustain prolonged access, and quickly exfiltrate sensitive data.
Supply Chain Compromise
Since late last year, Microsoft has tracked ongoing supply chain attacks linked to the group, in which it exploited stolen API keys and credentials from privileged access management (PAM) platforms, cloud app providers, and cloud data management companies.
By compromising these entities, the attackers gained access to downstream customer environments, conducting reconnaissance and data collection on state and local governments and IT service providers.
Key attack methods include abusing stolen API keys to access downstream customers, performing reconnaissance and data collection using admin accounts, and resetting default admin accounts, implanting web shells, creating additional user accounts, and clearing logs
Silk Typhoon has also gained access through password spraying and other password abuse methods. It has been observed leveraging leaked corporate credentials from public repositories like GitHub to authenticate into enterprise environments.
The group often exploits zero-day vulnerabilities in IT and identity management solutions. In January 2025, the group leveraged a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN, allowing it to breach multiple entities before Microsoft reported the exploit.
Once inside a business’s on-premises environment, Silk Typhoon moves laterally to cloud environments, targeting Active Directory (AD) and key vaults to steal credentials and escalate privileges. It has also targeted Microsoft AADConnect (now Entra Connect), which synchronizes on-premises AD with Entra ID (formerly Azure AD). In this way, the group gains control over both on-prem and cloud environments, enabling further espionage.
The threat actor uses covert networks composed of compromised or leased devices to slip through the security nets. These networks often include compromised Cyberoam appliances, Zyxel routers, and QNAP devices, providing the attackers with anonymized infrastructure for staging and executing attacks.
Mitigation and Defense Strategies
Casey Ellis, Founder at Bugcrowd, says Silk Typhoon’s shift to targeting widely-used IT management and cloud services introduces specific technical challenges for defenders. “Its approach leverages the inherent trust organizations place in their IT and cloud infrastructure, effectively expanding the attack surface to include interconnected supply chains and third-party applications. Defenders must now implement and observe stronger visibility and access controls within these environments while ensuring rapid detection and response capabilities against unauthorized activities involving privileged credentials, API keys, and compromised service principals.”
The group usually looks for data aligned with Chinese geopolitical interests, aimed at sensitive materials such as government policies, legal documentation, intellectual property, and strategic intelligence across a slew of sectors, including government, healthcare, IT infrastructure, and energy. “Its target selection demonstrates strategic intent rather than purely opportunistic behavior.”
What sets Silk Typhoon apart from other espionage groups is its technical proficiency in rapidly exploiting recently disclosed zero-day vulnerabilities and efficiently employing covert networks—made up of compromised or leased infrastructure—to conceal its operational footprint. “These techniques complicate detection and attribution, emphasizing the need for defenders to continuously monitor and secure high-risk assets,” Ellis adds.
Living off the Land
Living off the Land tactics are not new to the nation-state scene nor that of Silk Typhoon and other Chinese actor groups, adds Ken Dunham, Cyber Threat Director at Qualys. These tactics have been popular for some time now, particularly in the past two years, because they are harder to detect and are commonly available and powerful, for adversaries to weaponize within their kill web for maximum effectiveness coupled with defensive evasion.
Dunham says defenders can’t easily spot LoL based threats and abuse like that of malware. Living off the land forces SecOps to be able to spot malicious abuse of a legitimate authorized tool, possibly even by an authorized identity that is compromised (without their knowledge). These threats are also trusted and integrated, giving more depth and breadth to adversaries than traditional tactics, often increasing effectiveness, speed of attack and impact.”
Leaving Flaws Unpatched
Attackers can rapidly exploit VPN and secure-access vulnerabilities, yet many entities leave these flaws unpatched well after they become known, comments Saeed Abbasi, Manager, Vulnerability Research at Qualys. “Vulnerabilities in VPNs and secure-access tools often linger for extended periods, creating a significant window of opportunity for attackers. These flaws are typically exploited well before organizations can fully address them, leaving networks exposed to potential breaches. This gap between exploitation and remediation emphasizes the urgent need for faster patching and more proactive security measures.
“To counter this, security teams must act swiftly—identifying their vulnerable assets and using attack surface management, prioritizing critical patches, updating equipment, enforcing multi-factor authentication (MFA), disabling unused features, and shielding administrative access from public exposure,” Abbasi ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.