- Darktrace reported Twill Typhoon (Mustang Panda) targeting Asia‑Pacific and Japan with updated FDMTP backdoor v3.2.5.1
- Attackers used DLL sideloading via spear‑phished ZIPs with Sogou Pinyin plus malicious DLL, and impersonated Yahoo/Apple CDN traffic
- FDMTP gathers system info, installs plugins for remote control and persistence; researchers stress behavioral detection over static indicators
Chinese state-sponsored threat actors are targeting organizations across the Asia-Pacific region, as well as Japan, with an updated version of a known backdoor, experts have warned.
A new threat intelligence report by security researchers Darktrace found as of late September 2025, and all the way through April 2026, a hacking collective called Twill Typhoon (or Mustang Panda) have been targeting organizations – including at least one finance-sector company – with a backdoor called FDMTP (now at version 3.2.5.1).
To deliver FDMTP, the attackers used DLL sideloading. Using spear-phishing, they would deliver a ZIP file with a legitimate, trusted program (in this case, a popular Chinese language input method editor called Sogou Pinyin) alongside a malicious DLL with the same name. When the victim runs the program, it loads the malicious DLL instead of the legitimate one, granting the attackers access and the ability to deploy the backdoor.
Execution model persists
They also impersonate well-known CDN infrastructure such as Yahoo and Apple to make their traffic blend in with normal web activity and thus avoid being spotted.
Once inside, FDMTP establishes a connection to the attacker-controlled C2, collects detailed system information (antivirus software, user accounts, and more), and installs modular plugins that let attackers remotely run commands, manage files, manipulate system processes, or maintain persistent access.
“This approach is consistent with broader China-nexus tradecraft,” Darktrace said in the report. “The stable feature of this activity is behavioral. Infrastructure rotates and payloads can change, but the execution model persists. For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offer a far more durable approach.”
In other words, businesses need detection systems that recognize that sequence rather than specific known-bad indicators.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/37uyEphcLreEFNUVCQzurn-2560-80.jpg
Source link
