Mustang Panda Linked to New Modular FDMTP Backdoor

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime Mustang Panda Linked to New Modular FDMTP Backdoor Researchers Say Nation-State Actors Are Evolving Persistence Techniques Tiffany Wang • May 14, 2026     Credit Eligible Get Permission Image: Shuttersrtock An apparent Chinese nation-state hacking group gussied up its tooling with new modular functionality, say security researchers who observed a cyberespionage campaign affecting Asia-Pacific governments. See Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime Researchers at cybersecurity firm Darktrace say the activity resembles attack patterns of the threat actor tracked as Mustang Panda, Twill Typhoon and Earth Preta. The FBI in 2025 described the hacking group as a paid contactor, one of many private sector firms cultivated by Beijing to launch hacking operations on behalf of the government (see: Chinese Hackers' Evolution From Vandals to Strategists). The group is known for its use of a .NET malware downloader known as FDMTP. The backdoor now has a remote access framework that allows hackers to layer on components, load plugins, update it and maintain access through normal-looking Windows and developer-related processes. "It provides that framework for being able to change things while you're in the environment and to enable persistence and get specific things into legitimate-looking processes," said Nathaniel Jones, vice president at Darktrace's research department. "It's kind of like you updating your phone continuously, making it really easy for you to go grab a new app after another," he told ISMG. Researchers spotted the group's latest activity when multiple hosts began in September 2025 making requests to spoofed domains impersonating content delivery networks, including infrastructure putatively belonging to Yahoo and Apple. A constant across the activity was infected machines retrieving legitimate Windows binaries along malicious dynamic link libraries to enable the side-loading of FDMTP. Darktrace found that in April, "a finance-sector endpoint initiated a series of GET requests to yahoo-cdn.it.com first fetching legitimate binaries (including vshost.exe and dfsvc.exe), then repeatedly retrieving associated configuration and DLL components (including dfsvc.exe.config and dnscfg.dll) over an 11-day window. "The most important takeaway from this research is that modern nation-state cyber operations are no longer built around a single malware strain or a single point of compromise," said Heath Renfrow, CISO of cyber disaster recovery firm Fenix24.