Find notable cyber news and cases, enriched with sources, timelines, and signals.

FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

An updated FDMTP backdoor variant is active in a months-long espionage operation against Asia-Pacific and Japan networks, increasing the risk of stealthy remote access and persistence. The payload was identified as version 3.2.5.1 and uses custom TCP with a persistent message loop for remote tasking. Its plugin set supports scheduled-task creation, registry persistence, file retrieval, and process manipulation.

Related Happenings

Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign

Campaign
H score40 First: 14.05.2026 18:00 Last: 14.05.2026 18:00 Sources 1

How related: According to new analysis from Darktrace, multiple customer environments began making requests to attacker infrastructure impersonating well-known content delivery networks (CDNs) in late September 2025, with activity continuing through April 2026.

About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...

LOTUSLITE evolved backdoor activity in India banking-sector targeting

Malware Activity
H score23 First: 22.04.2026 10:58 Last: 22.04.2026 10:58 Sources 1

About this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
H score37 First: 28.01.2026 13:40 Last: 28.01.2026 13:40 Sources 1

About this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...

CoolClient backdoor variant adds browser login theft and clipboard monitoring

Malware Activity
H score24 First: 28.01.2026 00:26 Last: 28.01.2026 00:26 Sources 1

About this happening: The **CoolClient backdoor** used by **Mustang Panda** has been updated in a new variant that steals **browser login data** and monitors the **clipboard**, adding **active window t...

Timeline

  1. 14.05.2026 18:00 2 articles · 1mo ago

    Darktrace discloses updated FDMTP backdoor campaign

    Initial Disclosure

    Darktrace disclosed an updated FDMTP 3.2.5.1 backdoor campaign affecting networks in Asia-Pacific and Japan, with activity linked at moderate confidence to Mustang Panda and associated tradecraft. The analysis describes attacker infrastructure impersonating CDNs, legitimate executables paired with malicious DLLs, custom TCP DMTP communications, four loadable plugins for scheduled-task creation, registry persistence, main-framework loading, and remote file retrieval and process manipulation, plus persistence through HKCU\Software\Microsoft\IME entries and an icloud-cdn[.]net update channel.

    Show sources