Darktrace linked a cyberespionage campaign targeting Asia-Pacific government entities to the Chinese state-aligned group Mustang Panda—also tracked as Twill Typhoon and Earth Preta—after observing the actor evolve its known .NET downloader FDMTP into a more modular backdoor. The updated framework reportedly supports plugin loading, updates, and persistence while hiding behind legitimate-looking Windows and developer-related processes, indicating a shift from a simple downloader to a more flexible remote access platform.
Researchers said compromised hosts had been contacting spoofed domains impersonating CDN infrastructure associated with brands including Yahoo and Apple since September 2025, and that the attackers repeatedly paired legitimate Windows binaries with malicious DLLs to side-load FDMTP. In one April incident, a finance-sector endpoint fetched binaries, configuration files, and DLL components from yahoo-cdn.it.com over an 11-day period, underscoring the group's use of modular tooling, deceptive infrastructure, and adaptable persistence techniques in ongoing espionage operations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On or before May 14, 2026, Darktrace reported that the Asia-Pacific government-targeting cyberespionage campaign resembled activity by the Chinese state-aligned threat actor Mustang Panda, also known as Twill Typhoon and Earth Preta. The report said the group had evolved FDMTP from a .NET downloader into a modular backdoor framework supporting plugins, updates, and persistence via legitimate-looking processes.
In April 2026, Darktrace documented an incident in which a finance-sector endpoint repeatedly fetched binaries, configuration files, and DLL components from yahoo-cdn.it.com over an 11-day period. The behavior was consistent with the modular FDMTP framework and its plugin-based operation.
Darktrace observed compromised hosts from September 2025 contacting spoofed domains impersonating CDN infrastructure associated with brands including Yahoo and Apple. The activity involved retrieving legitimate Windows binaries and malicious DLLs to side-load an evolved, more modular version of the FDMTP malware.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
govinfosecurity.com
Open sourcebankinfosecurity.com
Open sourcedarktrace.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.