FDMTP

FDMTP is a .NET malware downloader associated with the China-aligned espionage group Mustang Panda, also tracked as Earth Preta, Twill Typhoon, and MISTCLOAK. Earlier reporting described it as a simple malware downloader implemented on the TouchSocket library over Duplex Message Transport Protocol (DMTP), used as a secondary control tool and to perform tasks similar to PUBLOAD. Trend Micro reported PUBLOAD was used to introduce FDMTP into victim environments during Mustang Panda operations, including campaigns targeting government-related entities in Asia such as Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan.

Later reporting indicates FDMTP evolved into a more modular .NET backdoor / remote access framework. Darktrace observed a heavily obfuscated payload identified as Client.TcpDmtp.dll, communicating over custom TCP using DMTP and assessed it as an updated version of FDMTP (version 3.2.5.1). The malware was delivered via retrieval of legitimate executables together with malicious DLLs, enabling DLL sideloading and search-order hijacking. Observed legitimate binaries included biz_render.exe, dfsvc.exe, and vshost.exe; malicious components included browser_host.dll and dnscfg.dll. In one chain, a malicious dfsvc.exe.config forced loading of dnscfg.dll through a custom AppDomainManager during dfsvc.exe initialization. The malware also used staged retrieval from spoofed CDN-themed infrastructure, including yahoo-cdn.it[.]com and icloud-cdn[.]net, and registration traffic to a /GetCluster endpoint with protocol=DotNet-TcpDmtp and header Verify_Token: Dmtp.

Capabilities directly described in the reporting include host profiling, C2 communication, plugin execution, modular component loading, malware updating after deployment, and persistence through normal-looking Windows and developer-related processes. Embedded components included client.core.dll and client.dmtpframe.dll. Reported functionality included collection of host details such as antivirus products, domain name, HWID, CLR version, administrator status, hardware, network, operating system, and user information; heartbeats, reconnection, RPC-style messaging, SSL support, token verification, and plugin persistence. Plugins identified in reporting were Persist.WpTask.dll, Persist.registry.dll, Persist.extra.dll, and Assist.dll. Persistence mechanisms included a scheduled task for %APPDATA%\Local\Microsoft\WindowsApps\dfsvc.exe, registry storage of plugins under HKCU\Software\Microsoft\IME{id}, and COM-related persistence via HKCU\Software\Classes\TypeLib{9E175B61-F52A-11D8-B9A5-505054503030}\1.0\1\Win64.

Additional technical details reported for the updated framework include runtime string decryption using an XOR-based routine, cluster-based host resolution, a persistent LoopMessage routine for structured tasking, and in-memory loading of AES-encrypted payloads. One observed workflow involved checking icloud-cdn[.]net every five minutes, downloading checksum.bin when version.txt changed, saving it as C:\ProgramData\USOShared\Logs\checksum.etl, decrypting it with the hardcoded AES key POt_L[Bsh0=+@0a., and loading the resulting assembly from memory as Client.dll. Darktrace reported activity beginning in late September 2025 affecting environments in the Asia-Pacific and Japan region, including government targets and at least one finance-sector endpoint.