Overview
- Darktrace, which published new analysis Thursday, detailed a months-long espionage campaign in Asia-Pacific and Japan that ran from late September 2025 through April 2026.
- Attackers masked traffic behind Apple- and Yahoo-themed content delivery network lookalikes, including yahoo-cdn.it.com and icloud-cdn.net, to make downloads appear routine.
- The intrusion chain used DLL sideloading, which tricks a trusted app into loading a look-alike malicious file, by abusing Windows tools such as dfsvc.exe, vshost.exe, and Sogou Pinyin’s biz_render.exe with a planted browser_host.dll.
- The final payload was an updated FDMTP .NET backdoor (v3.2.5.1) that communicated over DMTP, loaded modular plugins, and kept access through scheduled tasks and registry keys that checked for updates every five minutes.
- Darktrace linked the activity with moderate confidence to the China-aligned Mustang Panda cluster, and it documented an April 2026 finance victim where covert access lasted 11 days.