Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

May 18, 2026, 7:56 p.m.

Description

Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.

External References

https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
https://otx.alienvault.com/pulse/6a0b6898afd39bdd2dd6f142
Tags
apt
rat
remote access
chinese
2026-05-18
anomalous file
twill typhoon
visual studio

Date

  • Created: May 18, 2026, 7:29 p.m.
  • Published: May 18, 2026, 7:29 p.m.
  • Modified: May 18, 2026, 7:56 p.m.

Indicators

  • 47911cb0428f042c2da010ad833cf3830594ecb70cf5d1068ec969751d87647d
  • 0bb1e7190c781ce5dd02304511604c225f0b1b5efe9c62583971266ef0b4ff3a
  • www.icloud-cdn.net
Download all indicators here!

Attack Patterns

  • MUSTANG PANDA

Additional Informations

  • Universities
  • Investments