CTI Roundup: Silk Typhoon, Fake Ransom Notes, and ClickFix

This week, CTI investigates a Chinese espionage group known as Silk Typhoon, which is now targeting IT solutions for initial access. Next, CTI examines a campaign where threat actors send fake ransom notes to executives through physical mail. Finally, CTI explores a ClickFix-style phishing campaign aimed at deploying a modified Havoc Demon agent.

Silk Typhoon shifts its tactics

Microsoft recently observed a shift in targeting and tactics, techniques, and procedures (TTPs) by the Silk Typhoon group, a Chinese espionage organization. The group is redirecting its focus to target common IT services, including remote management tools and cloud applications, for initial access.

For example, the group abuses stolen API keys and credentials — specifically those associated with privilege access management (PAM), cloud app providers, and cloud data management companies — to compromise supply chains.

The group was also observed taking several post-theft actions that enable it to infiltrate further and exploit compromised supply chains, leading to broader impacts across multiple organizations, including:

• Accessing downstream customers or tenants
• Using access to perform reconnaissance for espionage
• Resetting default admin accounts
• Implanting web shells
• Creating additional users

According to Microsoft, victims of the downstream activity were primarily associated with state and local governments and the IT sector.

Who is Silk Typhoon?

Silk Typhoon is a Chinese cyber espionage group that has been active since at least 2020. The group is known to “quickly operationalize exploits for discovered zero-day vulnerabilities in edge devices,” according to Microsoft.

Previously tracked as Hafnium, the group primarily targets organizations in the United States across various sectors, including technology, government agencies, and more.

As Microsoft notes, the group is incredibly sophisticated and “holds one of the largest targeting footprints among Chinese threat actors.” The wide targeting is primarily a result of the group’s opportunistic approach, which involves selecting potential victims from vulnerability scanning operations. This group has demonstrated its understanding of cloud environments by its ability to operate successfully within them.

Password spray and abuse

Microsoft also observed this actor obtaining initial access via password spray attacks and other password-related techniques.

[Read also: The new thinking on password security might surprise you]

The actor will conduct reconnaissance activity by using leaked corporate passwords.

Recent TTPs

In recent Silk Typhoon attacks, the actor gains initial access by creating zero-day exploits or by identifying and targeting instances of vulnerable services. The actor seems to focus on targeting IT providers, identity management, privileged access management, and RMM solutions. In January 2025, Microsoft observed the actor specifically exploiting a zero-day in Ivanti’s Pulse Connect VPN.

After gaining initial access, the actor is known to use common tactics to move from on-prem to the cloud. To do so, the actor is observed dumping Active Directory, stealing passwords in key vaults, and escalating privileges. Microsoft has also seen the actor targeting Microsoft AADConnect servers (Entra Connect) at this attack stage.

The group was observed abusing service principals and OAuth applications to exfiltrate email, OneDrive, and SharePoint data via MSGraph. In addition, Microsoft observed instances where Silk Typhoon compromised multi-tenant applications. Further, the group is known to leverage covert networks to hide its malicious activities.

Analyst comments from Tanium’s Cyber Threat Intelligence team

One key takeaway is that actors are realizing how beneficial it is for them to target an organization that has downstream customers for even more compromise, greatly increasing the threat.

What’s more, Silk Typhoon doesn’t use dedicated infrastructure. Instead, the group will use compromised networks, proxies, etc., making it easier to blend their malicious activities with legitimate operations. This, coupled with the group’s opportunistic targeting, certainly makes Silk Typhoon one to watch. It’s also possible that we could start to see other actors mirror Silk Typhoon’s targeting and TTPs.

Microsoft shared useful recommendations, hunting guidance, queries, and various Defender alerts that can help to identify related activity.

[Read also: What is threat hunting? Overview with real-world example]

Threat actors target executives with physical ransom notes

GuidePoint Security received several reports from different organizations regarding a fake ransom note being delivered via physical mail. These letters are being sent from U.S. addresses to executives and include details often contained in the digitally received ransom notes.

What’s in the fake ransom letter?

The contents of each letter are like ransom notes typically dropped on compromised devices. The first portion of the letter states that the actor gained access to the victim’s corporate systems and has slowly been exfiltrating sensitive information. As is the case with most ransom notes, this letter asks the recipient to make a payment. In this case, the payment is requested in the form of Bitcoin and includes a QR code with the wallet address. GuidePoint has seen ransom demands of between $250,000 and $350,000.

The physical envelopes are marked with “TIME SENSITIVE READ IMMEDIATELY” and include an American flag Forever stamp.

Ransom note indicators

The author of the letter claims to be associated with the BianLian group. However, GuidePoint believes this letter doesn’t originate from the legitimate BianLian group.

The biggest questionable indicator is the fact that this would be the first time a ransomware group has sent a physical ransom letter. In addition, the actual wording and content of the letter differs from the ransom notes previously sent by BianLian, with this one having almost perfect English and complex sentence structures.

Another noticeable difference is that this letter doesn’t provide a way to negotiate ransoms or connect with the actor via email or the dark web. Lastly, GuidePoint reports that the Bitcoin wallet addresses were newly created and not previously tied to any groups.

[Read also: The art of ransomware negotiation]

Most importantly, GuidePoint notes that “in the cases where we have seen the delivery of these letters, we have not observed known or suspected intrusion activity reflecting ransomware operations.”

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s strange to see threat actors pivoting back to some very basic and old techniques, like sending notes via physical mail. Typically, threat actors send USBs via physical mail that will load malware when they plug into a device.

In this interesting development, the threat actor sends social engineering content via physical mail instead of true malicious content. However, this may not be a twist on a classic and instead another actor merely pretending to be a well-known ransomware operation.

Presently, there is no confirmation that the BianLian ransomware operation is sending these letters. This may simply be another threat actor trying to make a quick dollar without having to execute any technically sophisticated aspects of a normal attack.

Hackers use the ClickFix trick to deploy a modified Havoc Demon agent

Fortinet discovered a ClickFix-style phishing campaign that attempts to deploy a modified Havoc Demon agent.

What sets this campaign apart is that the threat actor uses SharePoint to conceal each stage of the malware and utilizes the Microsoft Graph API to integrate its C2 communications seamlessly.

Initial access

According to Fortinet, the attack starts with a traditional phishing email that contains an HTML file attachment. The email itself creates a sense of urgency by telling the recipient they may face “operational challenges” if they do not look at the attached notice. The attached file, Documents.html, is a typical ClickFix attack. It has a fake error message that will trick the victim into copying, pasting, and running malicious PowerShell.

The payload

The payload — which is a PowerShell script — is hosted within SharePoint. When the victim runs this script, it will first confirm if it is running in a sandbox environment before deleting registry keys under “HKCU:SoftwareMicrosoft” that start with “zr_” in the name.

It will then add its specified property as an infection marker. The script will move on to ensure the Python interpreter, python.exe, is on the device and obtain and execute the remote Python script. This is executed in hidden windows to avoid raising suspicion to the victim.

Shellcode loaders

Fortinet notes that the Python script is also hosted on SharePoint, contains debug information, and is written in Russian. This script operates as a shellcode loader and is executed via Python interpreter in the terminal.

A GitHub shellcode loader called “KaynLdr” will reflectively load an embedded DLL. Its main purpose is to complicate analysis as it uses API hashing with a modified DJB2 algorithm and resolved ntdll APIs for mapping and memory allocation.

About Havoc Demon DLL

Havoc is an open-source C2 framework commonly utilized in red team engagements.

In this case, the threat actor combines Havoc with Microsoft Graph API to hide C2 communications. The actor uses a modified Havoc Demon DLL and a second function that leverages the Graph API to initialize files on the SharePoint site.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s interesting that ClickFix-style attacks are becoming more popular, seeing as they rely heavily on victim interaction. Not only does the victim need to be tricked using a phishing email, but they also need to continue copying, pasting, and executing a malicious PowerShell.

This particular attack also uses another popular tactic: leveraging legitimate services like Microsoft Graph API and SharePoint. These legitimate and familiar sources may contribute to higher success rates.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.