- Darktrace reported Typhoon Twill (Mustang Panda) targeting Asia-Pacific and Japan with FDMTP backdoor update v3.2.5.1.
- The attackers used DLL sideloading via spear phishing ZIPs with Sogou Pinyin and malicious DLLs, and impersonated Yahoo/Apple CDN traffic.
- FDMTP gathers system information, installs plugins for remote control and persistence; researchers emphasize behavioral detection rather than static indicators
Chinese state-sponsored threat actors are targeting organizations in the Asia-Pacific region, as well as Japan, with an updated version of a known backdoor, experts have warned.
A new threat intelligence report by security researchers Darktrace revealed that in late September 2025 and continuing through April 2026, a hacker collective called Twill Typhoon (or Mustang Panda) targeted organizations – including at least one company in the financial sector – with a backdoor called FDMTP (now at version 3.2.5.1).
To distribute FDMTP, the attackers used DLL sideloading. Through spear phishing, they would deliver a ZIP file with a legitimate and trustworthy program (in this case, a popular Chinese input method editor called Sogou Pinyin) along with a malicious DLL of the same name. When the victim runs the program, it loads the malicious DLL instead of the legitimate DLL, granting attackers access and the ability to deploy the backdoor.
Execution model persists
They also impersonate well-known CDN infrastructures such as Yahoo and Apple so that their traffic blends in with normal web activity and thus avoids detection.
Once inside, FDMTP establishes a connection with the attacker-controlled C2, collects detailed system information (antivirus software, user accounts, etc.), and installs modular plugins that allow attackers to remotely execute commands, manage files, manipulate system processes, or maintain persistent access.
“This approach is consistent with broader China-related trade,” Darktrace said in the report. “The stable characteristic of this activity is behavioral. The infrastructure changes and the payloads may change, but the execution model persists. For defenders, the implication is simple: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offers a much more sustainable approach.”
In other words, businesses need detection systems that recognize this sequence rather than specific indicators of malfunction.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
