- Darktrace reported that Twill Typhoon (Mustang Panda) targets Asia-Pacific and Japan with updated FDMTP backdoor v3.2.5.1
- The attackers used DLL download via phishing ZIP files with Sogou Pinyin plus malicious DLLs and impersonated Yahoo/Apple CDN traffic.
- FDMTP collects system information, installs plugins for remote control and persistence; Researchers emphasize behavioral detection over static indicators.
Experts have warned that Chinese state-sponsored threat actors are targeting organizations across the Asia-Pacific region, as well as Japan, with an updated version of a known backdoor.
A new threat intelligence report by security researchers Darktrace found that since late September 2025, and continuing into April 2026, a hacking collective called Twill Typhoon (or Mustang Panda) has been attacking organizations, including at least one company in the financial sector, with a backdoor called FDMTP (now in version 3.2.5.1).
To deliver FDMTP, attackers used DLL downloading. Using phishing, they delivered a ZIP file containing a legitimate and trustworthy program (in this case, a popular Chinese-language input method editor called Sogou Pinyin) along with a malicious DLL with the same name. When the victim runs the program, it loads the malicious DLL instead of the legitimate one, giving the attackers access and the ability to implement the backdoor.
Execution model persists
They also impersonate well-known CDN infrastructures such as Yahoo and Apple so that their traffic blends in with normal web activity and thus avoid detection.
Once inside, FDMTP establishes a connection to the attacker-controlled C2, collects detailed system information (antivirus software, user accounts, and more), and installs modular plugins that allow attackers to remotely execute commands, manage files, manipulate system processes, or maintain persistent access.
“This approach is consistent with broader China nexus trade,” Darktrace said in the report. “The stable characteristic of this activity is behavior. Broken infrastructure and payloads may change, but the execution model persists. For defenders, the implication is simple: detection anchored to individual indicators will degrade rapidly. Detection anchored to a sequence of behavior offers a much more durable approach.”
In other words, companies need detection systems that recognize that sequence rather than specific indicators known to be bad.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
