'Infrastructure rotates and payloads can change, but the execution model persists': Chinese hackers return to target victims across Asia with new MustangPanda threat

News
By published

Researchers spotted an updated version of the FDMTP backdoor

World Password Day 2025
(Image credit: Shutterstock)
  • Darktrace reported Twill Typhoon (Mustang Panda) targeting Asia‑Pacific and Japan with updated FDMTP backdoor v3.2.5.1
  • Attackers used DLL sideloading via spear‑phished ZIPs with Sogou Pinyin plus malicious DLL, and impersonated Yahoo/Apple CDN traffic
  • FDMTP gathers system info, installs plugins for remote control and persistence; researchers stress behavioral detection over static indicators

Chinese state-sponsored threat actors are targeting organizations across the Asia-Pacific region, as well as Japan, with an updated version of a known backdoor, experts have warned.

A new threat intelligence report by security researchers Darktrace found as of late September 2025, and all the way through April 2026, a hacking collective called Twill Typhoon (or Mustang Panda) have been targeting organizations - including at least one finance-sector company - with a backdoor called FDMTP (now at version 3.2.5.1).

To deliver FDMTP, the attackers used DLL sideloading. Using spear-phishing, they would deliver a ZIP file with a legitimate, trusted program (in this case, a popular Chinese language input method editor called Sogou Pinyin) alongside a malicious DLL with the same name. When the victim runs the program, it loads the malicious DLL instead of the legitimate one, granting the attackers access and the ability to deploy the backdoor.

Latest Videos From

Execution model persists

They also impersonate well-known CDN infrastructure such as Yahoo and Apple to make their traffic blend in with normal web activity and thus avoid being spotted.

Once inside, FDMTP establishes a connection to the attacker-controlled C2, collects detailed system information (antivirus software, user accounts, and more), and installs modular plugins that let attackers remotely run commands, manage files, manipulate system processes, or maintain persistent access.

“This approach is consistent with broader China-nexus tradecraft,” Darktrace said in the report. “The stable feature of this activity is behavioral. Infrastructure rotates and payloads can change, but the execution model persists. For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offer a far more durable approach.”

In other words, businesses need detection systems that recognize that sequence rather than specific known-bad indicators.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.