AN updated variant of the FDMTP backdoor has been observed in a months-long espionage campaign aimed at networks in the Asia-Pacific and Japan, with researchers claims that the activity is linked to the China-aligned group Mustang Panda. According to Darktrace, multiple customer environments began making requests to attacker infrastructure impersonating well-known content delivery networks in late September 2025, with activity continuing through April 2026.
Darktrace assessed with moderate confidence that the campaign aligns with publicly reported Mustang Panda tradecraft, though it notes the techniques are not unique to a single actor. The final-stage payload is a heavily obfuscated .NET backdoor identified as version 3.2.5[.]1 of FDMTP, a tool first documented by Trend Micro in 2024 as a Mustang Panda secondary control implant.
Communication runs over custom TCP using the Duplex Message Transport Protocol, with four loadable plugins for tasks including persistence and remote file retrieval. Persistence is maintained via scheduled tasks and registry entries under HKCU\\Software\\Microsoft\\IME, alongside an update channel that polls icloud-cdn[.]net every five minutes for new payloads.