Espionage Campaign Utilizes Updated FDMTP Backdoor Linked to Mustang Panda
An updated variant of the FDMTP backdoor has surfaced in a protracted espionage campaign targeting networks across the Asia-Pacific region and Japan. This activity has been connected to Mustang Panda, a group believed to be aligned with Chinese interests. Recent findings reported by Darktrace reveal important details about this campaign, indicating a sophisticated and ongoing effort to infiltrate various systems through deceitful tactics.
In late September 2025, researchers observed a surge in requests from multiple organizations that sought to connect with attacker-controlled infrastructure masquerading as reputable content delivery networks (CDNs). This deceptive activity persisted well into April 2026, raising concerns among cybersecurity experts regarding the extent and intent of the operation. Darktrace, a leading cybersecurity firm, assessed with moderate confidence that the modus operandi displayed in this campaign aligns with tradecraft publicly associated with Mustang Panda. However, it also acknowledged that the techniques involved are not exclusive to any single adversarial actor.
Mustang Panda, tracked by Darktrace under the aliases Twill Typhoon, Earth Preta, Stately Taurus, Bronze President, and TA416, has made a name for itself through a range of espionage operations targeting government and corporate entities. The group’s tactics often involve complex strategies designed to evade detection while achieving their objectives.
CDN Impersonation and DLL Sideloading Tactics
One of the more alarming strategies employed by these attackers involves CDN impersonation and dynamic-link library (DLL) sideloading. In certain instances, compromised hosts retrieved not just malicious components but also legitimate executables and corresponding configuration files from domains posing as established infrastructures, including those of well-known companies such as Yahoo and Apple.
A case highlighted by Darktrace detailed an incident within the finance sector in April 2026, where an endpoint managed to retrieve legitimate binaries like vshost.exe and dfsvc.exe. These files acted as initial vectors, paving the way for fetching configuration files and malicious DLL components over an extended period of approximately 11 days. By exploiting these benign files, the attackers effectively sideloaded malicious DLLs that contained the same names as anticipated libraries.
In an illustrative example, a DLL named browser_host.dll was placed alongside the legitimate binary for the Sogou Pinyin input method, biz_render.exe. This strategic placement permitted the execution of the malicious payload within a process perceived as trustworthy, demonstrating the attackers’ sophisticated understanding of system vulnerabilities.
Features of the Updated FDMTP Backdoor
The campaign’s final payload comprises a heavily obfuscated .NET backdoor identified by Darktrace as version 3.2.5.1 of FDMTP. Initially documented by Trend Micro in 2024, this tool functions as a secondary control implant for Mustang Panda. Notably, the communication protocol employed by FDMTP operates over a custom TCP connection utilizing the Duplex Message Transport Protocol (DMTP). This enables robust features such as cluster-based resolution, token validation, and a persistent message loop to facilitate remote tasking.
Darktrace’s analysis revealed four distinct loadable plugins within the framework of this backdoor. These plugins serve a variety of purposes, including creating scheduled tasks, ensuring registry persistence, loading the main framework, and allowing remote file retrieval and manipulation of processes. Such modularity enhances the flexibility and effectiveness of the malware.
Persistence mechanisms are cleverly integrated through scheduled tasks and registry entries under the key HKCU\Software\Microsoft\IME. Furthermore, the backdoor maintains a dedicated update channel that polls an address identified as icloud-cdn[.]net every five minutes to fetch new payloads, ensuring the continuity of the campaign.
Call to Action for Cyber Defenders
In light of these findings, Darktrace emphasizes the importance of anchoring detection methods to behavioral patterns rather than individual indicators. “Infrastructure rotates, and payloads can change, but the execution model persists,” the company stated. This insight underscores the need for a proactive and adaptive security approach, encouraging defenders to focus on the evolving behaviors associated with such threats.
The comprehensive analysis provided by Darktrace serves as a vital resource for cybersecurity professionals and organizations intending to fortify their defenses against increasingly sophisticated espionage tactics. The Mustang Panda group’s continued evolution, as evidenced by this latest campaign, underscores the importance of vigilance and adaptation in the face of ever-evolving cyber threats.