An updated variant of the FDMTP backdoor has been observed in a months-long espionage campaign aimed at networks in the Asia-Pacific and Japan, with researchers linking the activity to the China-aligned group Mustang Panda.
According to new analysis from Darktrace, multiple customer environments began making requests to attacker infrastructure impersonating well-known content delivery networks (CDNs) in late September 2025, with activity continuing through April 2026.
Darktrace assessed with moderate confidence that the campaign aligns with publicly reported Mustang Panda tradecraft, though it notes the techniques are not unique to a single actor.
The group, which Darktrace tracks as Twill Typhoon, is also known as Earth Preta, Stately Taurus, Bronze President and TA416.
CDN Impersonation and DLL Sideloading
Affected hosts retrieved legitimate executables, matching .config files and malicious DLLs from domains posing as Yahoo and Apple infrastructure.
In one finance-sector case from April 2026, an endpoint pulled legitimate binaries such as vshost.exe and dfsvc.exe before fetching paired configuration and DLL components over an 11-day window.
The sideloading chain relied on legitimate binaries loading malicious DLLs of the same name as their expected libraries.
In a observed case, a malicious browser_host.dll was placed alongside the legitimate Sogou Pinyin input method binary biz_render.exe, allowing the payload to execute inside a trusted process.
Decoded strings then loaded the .NET runtime in-process and pulled the next stage directly into memory as a managed assembly.
Updated FDMTP and Modular Plugins
The final-stage payload of the campaign is a heavily obfuscated .NET backdoor that Darktrace identifies as version 3.2.5.1 of FDMTP, a tool first documented by Trend Micro in 2024 as a Mustang Panda secondary control implant.
Communication runs over custom TCP using the Duplex Message Transport Protocol (DMTP), with cluster-based resolution, token validation and a persistent message loop for remote tasking.
Darktrace identified four loadable plugins in the framework: one for scheduled-task creation, one for registry persistence, one for loading and persisting the main framework, and one for remote file retrieval and process manipulation.
Persistence is maintained through scheduled tasks and registry entries under HKCU\Software\Microsoft\IME, alongside a separate update channel that polls icloud-cdn[.]net every five minutes for new payloads.
Darktrace urged defenders to anchor detection to the behavioral sequence.
"Infrastructure rotates and payloads can change, but the execution model persists," the company wrote. "For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offers a far more durable approach."