Back

Chinese APT Campaign Targets Asia-Pacific with FDMTP Backdoor

Severity: High (Score: 75.5)

Sources: Darktrace, Infosecurity-Magazine

Summary

A months-long espionage campaign linked to the Chinese group Mustang Panda has been identified, utilizing an updated variant of the FDMTP backdoor. This campaign, tracked by Darktrace, began in late September 2025 and has primarily affected customer environments in the Asia-Pacific and Japan regions. Attackers employed a technique involving the sideloading of malicious DLLs alongside legitimate binaries, with requests made to domains impersonating well-known content delivery networks like Yahoo and Apple. The campaign's final payload is a heavily obfuscated .NET backdoor, version 3.2.5.1 of FDMTP, which includes various plugins for persistence and remote tasking. Darktrace has observed multiple instances of affected hosts retrieving legitimate executables, configuration files, and malicious DLLs over extended periods. The activity is consistent with previously reported techniques associated with Mustang Panda, though the methods are not exclusive to this group. As of May 2026, the campaign continues to pose a significant threat to targeted sectors, particularly finance. Key Points: • Mustang Panda is linked to an updated variant of the FDMTP backdoor targeting APJ. • Attackers use DLL sideloading techniques with legitimate binaries to execute payloads. • The campaign has been active since September 2025, with ongoing threats observed into May 2026.

Key Entities

  • Bronze President (apt_group)
  • Earth Preta (apt_group)
  • Mustang Panda (apt_group)
  • Stately Taurus (apt_group)
  • Ta416 (apt_group)
  • Malware (attack_type)
  • Japan (country)
  • echo.in (domain)
  • icloud-cdn.net (domain)
  • microsoft.net (domain)
  • yahoo-cdn.it.com (domain)
  • Finance (industry)
  • 154.223.58.142 (ipv4)
  • Fdmtp (malware)
  • 067FBAD4D6905D6E13FDC19964C1EA52 (md5)
  • 162F69FE29EB7DE12B684E979A446131 (md5)
  • 2CD781AB63A00CE5302ED844CFBECC27 (md5)
  • 482cc72e01dfa54f30efe4fefde5422d (md5)
  • b2c8f1402d336963478f4c5bc36c961a (md5)
  • T1007 - System Service Discovery (mitre_attack)
  • T1027.007 - Dynamic API Resolution (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1030 - Data Transfer Size Limits (mitre_attack)
  • T1053.005 - Scheduled Task (mitre_attack)
  • Windows (platform)
  • Sogou Pinyin (company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed