Mustang Panda Deploys Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign
A months-long espionage campaign targeting Asia-Pacific and Japan networks uses an updated FDMTP backdoor (v3.2.5.1) delivered via CDN-impersonating domains and DLL sideloading, linked to China-aligned group Mustang Panda.
A months-long espionage campaign targeting networks in the Asia-Pacific and Japan has been linked to the China-aligned threat actor Mustang Panda, according to new analysis from Darktrace. The campaign leverages an updated variant of the FDMTP backdoor, version 3.2.5.1, delivered through a sophisticated attack chain that begins with domains impersonating legitimate content delivery networks (CDNs).
Darktrace observed multiple customer environments making requests to attacker-controlled infrastructure mimicking Yahoo and Apple CDNs starting in late September 2025, with activity continuing through April 2026. The security firm assessed with moderate confidence that the campaign aligns with publicly reported Mustang Panda tradecraft, though it noted the techniques are not unique to a single actor. The group, also tracked as Twill Typhoon, Earth Preta, Stately Taurus, Bronze President, and TA416, has a long history of espionage operations.
The initial compromise relies on CDN-impersonating domains to deliver legitimate executables alongside malicious DLLs for sideloading. In one finance-sector case from April 2026, an endpoint retrieved legitimate binaries such as vshost.exe and dfsvc.exe before fetching paired configuration and DLL components over an 11-day window. The sideloading chain works by placing a malicious DLL alongside a legitimate binary that loads it under the same name as an expected library. In one observed case, a malicious browser_host.dll was placed alongside the legitimate Sogou Pinyin input method binary biz_render.exe, allowing the payload to execute inside a trusted process. Decoded strings then loaded the .NET runtime in-process and pulled the next stage directly into memory as a managed assembly.
The final-stage payload is a heavily obfuscated .NET backdoor identified as version 3.2.5.1 of FDMTP, a tool first documented by Trend Micro in 2024 as a Mustang Panda secondary control implant. Communication runs over custom TCP using the Duplex Message Transport Protocol (DMTP), with cluster-based resolution, token validation, and a persistent message loop for remote tasking. Darktrace identified four loadable plugins in the framework: one for scheduled-task creation, one for registry persistence, one for loading and persisting the main framework, and one for remote file retrieval and process manipulation.
Persistence is maintained through scheduled tasks and registry entries under HKCU\Software\Microsoft\IME, alongside a separate update channel that polls icloud-cdn[.]net every five minutes for new payloads. The campaign's use of legitimate binaries and CDN-impersonating domains makes detection challenging for signature-based defenses.
Darktrace urged defenders to anchor detection to the behavioral sequence rather than static indicators. "Infrastructure rotates and payloads can change, but the execution model persists," the company wrote. "For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offers a far more durable approach." This campaign underscores the ongoing threat from state-aligned espionage groups targeting critical infrastructure and government networks in the Asia-Pacific region.