"It provides that framework for being able to change things while you're in the environment and to enable persistence and get specific things into legitimate-looking processes," said Nathaniel Jones, vice president at Darktrace's research department.
Darktrace researchers' observations
Security researchers at Darktrace tracked a cyberespionage campaign that they say aligns with activity attributed to the group variously tracked as Mustang Panda, Twill Typhoon and Earth Preta. The company reported that analysts first noticed multiple hosts, beginning in September 2025, making web requests to spoofed domains that impersonated content-delivery networks — including infrastructure putatively belonging to Yahoo and Apple. That pattern prompted a deeper investigation into the tooling and delivery mechanisms used in the campaign.
Mustang Panda, FDMTP, and the FBI's 2025 characterization
Darktrace linked the activity to the group commonly known as Mustang Panda, which the FBI in 2025 described as "a paid contractor, one of many private sector firms cultivated by Beijing to launch hacking operations on behalf of the government." The group has previously been associated with a .NET malware downloader known as FDMTP; Darktrace's new reporting shows that FDMTP has acquired additional capabilities that change how defenders must think about persistence.
The new modular remote access framework
According to Darktrace, FDMTP now functions as a remote access framework that supports modularity: attackers can layer components, load plugins, update the backdoor, and maintain access by hiding functionality inside normal-looking Windows and developer-related processes. Nathaniel Jones described the upgrade to FDMTP as making it "kind of like you updating your phone continuously, making it really easy for you to go grab a new app after another." The addition of a plugin and update model lets operators alter capabilities after initial compromise rather than relying on a single static implant.
Spoofed CDNs and side-loading via legitimate Windows binaries
A constant across the observed activity was infected hosts retrieving legitimate Windows binaries alongside malicious dynamic link libraries, enabling side-loading of FDMTP. Darktrace documented a concrete example from April in which "a finance-sector endpoint initiated a series of GET requests to yahoo-cdn.it.com, first fetching legitimate binaries (including vshost.exe and dfsvc.exe), then repeatedly retrieving associated configuration and DLL components (including dfsvc.exe.config and dnscfg.dll) over an 11-day window." That behavior — fetching benign executable files while also pulling configuration files and malicious DLLs — is the mechanism the researchers highlight for persistence and stealth.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect multi-component campaigns that use legitimate binaries plus malicious DLLs to side-load capabilities; repeated GET requests to domains spoofing major CDNs (the report cites Yahoo and Apple impersonations) and the retrieval pattern that Darktrace observed over an 11-day window are the concrete signals the researchers flagged.
- Policymakers and regulators: The FBI's 2025 description of Mustang Panda as "a paid contractor" cultivated by Beijing frames these operations as part of a broader model that involves private-sector firms being used for state-directed activity — a characterization that bears on how policy makers assess attribution, risk and cross-border restraint.
- Affected enterprises (finance and regional governments): The example Darktrace found in a finance-sector endpoint underscores that sensitive networks in the Asia-Pacific region have been targeted; defenders should note the campaign's emphasis on persistence via legitimately named processes and on modular, updatable tooling rather than a single, immutable strain.
Heath Renfrow, CISO of cyber disaster recovery firm Fenix24, summarized the operational implication succinctly: "The most important takeaway from this research is that modern nation-state cyber operations are no longer built around a single malware strain or a single point of compromise." The Darktrace findings — a modular FDMTP backdoor, spoofed CDN domains, and side-loading via Windows binaries observed over extended periods — illustrate that shift in practice and leave defenders facing a problem of many moving parts rather than one obvious infection to eradicate.
