‘Infrastructure rotates and payloads may change, but execution model persists’: Chinese hackers return to target victims across Asia with new MustangPanda threat

Darktrace reported Twill Typhoon (Mustang Panda) targeting Asia-Pacific and Japan with updated FDMTP backdoor v3.2.5.1
Attackers used DLL sideloading via spear-phished ZIPs with Sogou Pinyin plus malicious DLL and mimicked Yahoo/Apple CDN traffic
FDMTP collects system info, installs plugins for remoting and persistence; researchers emphasize behavioral detection over static indicators

Chinese state-sponsored threat actors are targeting organizations across the Asia-Pacific region as well as Japan with an updated version of a known backdoor, experts have warned.

A new threat intelligence report from security researchers Darktrace found in late September 2025, and all the way through April 2026, a hacker collective called Twill Typhoon (or Mustang Panda) has been targeting organizations — including at least one financial sector company — with a backdoor called FDMTP (now in version 3.2.5.1).

To deliver FDMTP, the attackers used DLL sideloading. Using spear-phishing, they would deliver a ZIP file of a legitimate, trusted program (in this case, a popular Chinese language input method called Sogou Pinyin) along with a malicious DLL of the same name. When the victim runs the program, it loads the malicious DLL instead of the legitimate one, giving the attackers access and the opportunity to implement the backdoor.

The execution model consists

They also mimic well-known CDN infrastructure like Yahoo and Apple to make their traffic blend in with normal web activity and thus avoid detection.

Once inside, FDMTP establishes a connection to the hacker-controlled C2, collects detailed system information (antivirus software, user accounts, and more), and installs modular plugins that let attackers remotely run commands, manage files, manipulate system processes, or maintain persistent access.

“This approach is consistent with broader China nexus craft,” Darktrace said in the report. “The stable nature of this activity is behavioral. Infrastructure rotates and payloads may change, but the execution model remains. For defenders, the implication is straightforward: Detection anchored to individual indicators will degrade rapidly. Detection anchored to a behavioral sequence offers a far more sustainable approach.”

In other words, companies need detection systems that recognize this sequence rather than specific known bad indicators.