Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign

Darktrace observed a months-long espionage campaign (Sep 2025–Apr 2026) attributed with moderate confidence to Mustang Panda targeting Asia-Pacific and Japan. Attackers impersonated CDN infrastructure to deliver legitimate binaries alongside malicious DLLs (DLL sideloading), then loaded a heavily obfuscated .NET backdoor (FDMTP v3.2.5.1) in-memory; the backdoor uses a custom TCP Duplex Message Transport Protocol (DMTP), supports modular plugins (task scheduling, registry persistence, loader, remote file/process manipulation), and maintains persistence via scheduled tasks, HKCU\Software\Microsoft\IME registry entries and polling icloud-cdn.net for updates. Defenders are advised to prioritize detection of the behavioral execution sequence over static indicators.