FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware Activity
Summary
Hide ▲
Show ▼
An updated FDMTP backdoor variant is active in a months-long espionage operation against Asia-Pacific and Japan networks, increasing the risk of stealthy remote access and persistence. The payload was identified as version 3.2.5.1 and uses custom TCP with a persistent message loop for remote tasking. Its plugin set supports scheduled-task creation, registry persistence, file retrieval, and process manipulation.
Related Happenings
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
H score40
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
How related:
According to new analysis from Darktrace, multiple customer environments began making requests to attacker infrastructure impersonating well-known content delivery networks (CDNs) in late September 2025, with activity continuing through April 2026.
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignHow related: According to new analysis from Darktrace, multiple customer environments began making requests to attacker infrastructure impersonating well-known content delivery networks (CDNs) in late September 2025, with activity continuing through April 2026.
About this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
H score23
First: 22.04.2026 10:58
Last: 22.04.2026 10:58
Sources 1
About this happening:
An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware ActivityAbout this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
H score37
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
**Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...
CoolClient backdoor variant adds browser login theft and clipboard monitoring
Malware Activity
H score24
First: 28.01.2026 00:26
Last: 28.01.2026 00:26
Sources 1
About this happening:
The **CoolClient backdoor** used by **Mustang Panda** has been updated in a new variant that steals **browser login data** and monitors the **clipboard**, adding **active window t...
CoolClient backdoor variant adds browser login theft and clipboard monitoring
Malware ActivityAbout this happening: The **CoolClient backdoor** used by **Mustang Panda** has been updated in a new variant that steals **browser login data** and monitors the **clipboard**, adding **active window t...
Timeline
-
14.05.2026 18:00 2 articles · 1mo ago
Darktrace discloses updated FDMTP backdoor campaign
Initial DisclosureDarktrace disclosed an updated FDMTP 3.2.5.1 backdoor campaign affecting networks in Asia-Pacific and Japan, with activity linked at moderate confidence to Mustang Panda and associated tradecraft. The analysis describes attacker infrastructure impersonating CDNs, legitimate executables paired with malicious DLLs, custom TCP DMTP communications, four loadable plugins for scheduled-task creation, registry persistence, main-framework loading, and remote file retrieval and process manipulation, plus persistence through HKCU\Software\Microsoft\IME entries and an icloud-cdn[.]net update channel.
Show sources
- Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign — www.infosecurity-magazine.com — 14.05.2026 18:00
- Mustang Panda Linked to Updated FDMTP Backdoor in Asia-Pacific Espionage Campaign — www.infosecurity-magazine.com — 14.05.2026 18:00