Executive Summary:
Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese espionage group. The group now targets common IT solutions, such as remote management tools and cloud applications, to gain initial access. While they have not been observed directly targeting Microsoft cloud services, they exploit unpatched applications to elevate their access in targeted organizations and conduct further malicious activities. After compromising a victim, Silk Typhoon uses stolen keys and credentials to infiltrate customer networks, where they can abuse various applications, including Microsoft services, to achieve their espionage objectives. Our latest blog post explains how Microsoft security solutions detect these threats and offers mitigation guidance to raise awareness and strengthen defenses against Silk Typhoon’s activities.

Silk Typhoon is a well-resourced and technically efficient Chinese state actor with a large targeting footprint. The group’s activities indicate an opportunistic approach, leveraging vulnerability scanning operations to quickly identify and exploit public-facing devices. As a result, Silk Typhoon has targeted various sectors and geographic regions, including IT services, remote monitoring and management companies, healthcare, legal services, higher education, defense, government, and non-governmental organizations.

Silk Typhoon has demonstrated proficiency in understanding cloud environments, allowing them to move laterally, maintain persistence, and exfiltrate data quickly within victim environments. Since Microsoft Threat Intelligence began tracking this threat actor in 2020, Silk Typhoon has utilized various web shells to execute commands, maintain persistence, and exfiltrate data from victim environments.

Microsoft has directly notified targeted or compromised customers, providing them with essential information to secure their environments. This blog post aims to raise awareness of Silk Typhoon’s recent and long-standing malicious activities, provide mitigation and hunting guidance, and disrupt the threat actor’s operations.

Recent Silk Typhoon Activity

Supply Chain Compromise

Microsoft Threat Intelligence has conducted thorough research on Silk Typhoon’s ongoing attacks, enhancing our understanding of the actor’s operations and uncovering new tradecraft. Specifically, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management, cloud app providers, and cloud data management companies. This allowed the threat actor to access downstream customer environments.

• Silk Typhoon used stolen API keys to access downstream customers/tenants of the initially compromised company.
• Leveraging access obtained via the API key, the actor performed reconnaissance and data collection on targeted devices via an admin account.
• Additional tradecraft identified included resetting default admin accounts, web shell implants, creation of additional users, and clearing logs of actor-performed actions.
• The victims of this downstream activity were largely in the state and local government and IT sectors.

Password Spray and Abuse

Silk Typhoon has also gained initial access through successful password spray attacks and other password abuse techniques. The threat actor leveraged leaked corporate passwords on public repositories, such as GitHub, and successfully authenticated to corporate accounts. This demonstrates the importance of password hygiene and multifactor authentication (MFA) on all accounts.

Silk Typhoon TTPs

Initial Access

Silk Typhoon has pursued initial access attacks against targets of interest through the development of zero-day exploits or targeting vulnerable third-party services and software providers. The group has also been observed gaining initial access via compromised credentials, focusing on IT providers, identity management, privileged access management, and remote monitoring and management solutions.

In January 2025, Silk Typhoon was observed exploiting a zero-day vulnerability in the Ivanti Pulse Connect VPN (CVE-2025-0282). Microsoft Threat Intelligence reported the activity to Ivanti, leading to a rapid resolution of the critical exploit.

Lateral Movement to Cloud

Once a victim has been successfully compromised, Silk Typhoon utilizes common tactics to move laterally from on-premises environments to cloud environments. The threat actor targets Microsoft AADConnect servers, which synchronize on-premises Active Directory with Entra ID (formerly Azure AD). A successful compromise of these servers could allow the actor to escalate privileges, access both on-premises and cloud environments, and move laterally.

Manipulating Service Principals/Applications

Silk Typhoon abuses service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MS Graph. The threat actor gains access to an application that was already consented within the tenant, harvests email data, and adds their own passwords to the application.

Use of Covert Networks

Silk Typhoon utilizes covert networks to obfuscate their malicious activities. The threat actor was observed using a covert network comprising compromised Cyberoam appliances, Zyxel routers, and QNAP devices.

Historical Silk Typhoon Zero-Day Exploitation

Since 2021, Silk Typhoon has targeted and compromised vulnerable unpatched Microsoft Exchange servers, GlobalProtect Gateway on Palo Alto Networks firewalls, Citrix NetScaler appliances, Ivanti Pulse Connect Secure appliances, and others.

GlobalProtect Gateway on Palo Alto Networks Firewalls

In March 2024, Silk Typhoon used a zero-day exploit for CVE-2024-3400 in GlobalProtect Gateway on Palo Alto Networks firewalls to compromise multiple organizations.

Citrix NetScaler ADC and NetScaler Gateway

In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways, including CVE-2023-3519.

Microsoft Exchange Servers

In January 2021, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities in Microsoft Exchange Servers, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Hunting Guidance

To help mitigate and surface various aspects of recent Silk Typhoon activities, Microsoft recommends the following:

• Inspect log activity related to Entra Connect servers for anomalous activity.
• Where targeted applications have highly privileged accounts, inspect service principals for newly created secrets (credentials).
• Identify and analyze any activity related to newly created applications.
• Identify all multi-tenant applications and scrutinize authentications to them.
• Analyze any observed activity related to the use of Microsoft Graph or eDiscovery, particularly for SharePoint or email data exfiltration.

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics to automatically match malicious domain indicators mentioned in this blog post with data in their workspace.

Recommendations

To help detect and mitigate Silk Typhoon’s activity, Microsoft recommends the following:

• Ensure all public-facing devices are patched.
• Validate that Ivanti Pulse Connect VPNs are patched to address CVE-2025-0282.
• Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities.
• Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
• Enable risk-based user sign-in protection and automate threat response.

Indicators of Compromise

Silk Typhoon is not known to use dedicated infrastructure in their operations. The threat actor typically uses compromised covert networks, proxies, and VPNs for infrastructure, likely to obfuscate their operations.

Microsoft Defender XDR Detections

Microsoft Defender XDR customers can refer to the list of applicable detections below to identify associated threat activity.

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Silk Typhoon activity group
• Possible exploitation of Exchange Server vulnerabilities
• Suspicious web shell detected
• Suspicious Active Directory snapshot dump
• Suspicious credential dump from NTDS.dit

Microsoft Defender External Attack Surface Management

Attack Surface Insights can indicate vulnerable devices on your network, but is not necessarily indicative of exploitation.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run pre-built promptbooks to automate incident response or investigation tasks related to this threat.

Threat Intelligence Reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog post.

Learn More

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.