Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
AI Analysis
Technical Summary
This campaign, attributed to the Chinese APT group Twill Typhoon, leverages an updated FDMTP backdoor to compromise targets by sideloading malicious DLLs alongside legitimate binaries. The attackers use domains impersonating well-known CDNs to facilitate the delivery of their payloads. The backdoor is a modular .NET-based RAT that enables remote access and control of compromised systems. The campaign was first observed in late September 2025 and involves sophisticated techniques such as DLL sideloading to evade detection. Indicators include a domain (www.icloud-cdn.net) and multiple file hashes associated with the malicious components. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables remote access and control of compromised systems through a modular .NET-based RAT, potentially allowing the adversary to perform reconnaissance, persistence, and data exfiltration. The use of legitimate binaries alongside malicious DLLs may help evade detection and facilitate stealthy operations. While the campaign is active, there is no evidence of widespread exploitation or public exploits. The impact is medium severity given the remote access capabilities and targeted nature of the campaign.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this campaign. Organizations should monitor for indicators of compromise such as connections to suspicious domains like www.icloud-cdn.net and the presence of known malicious file hashes. Detection and blocking of DLL sideloading techniques and unusual execution patterns related to .NET binaries may help mitigate risk. Follow vendor advisories and threat intelligence updates for any future patches or mitigation recommendations.
Indicators of Compromise
- domain: www.icloud-cdn.net
- hash: 067fbad4d6905d6e13fdc19964c1ea52
- hash: 162f69fe29eb7de12b684e979a446131
- hash: 2cd781ab63a00ce5302ed844cfbecc27
- hash: 482cc72e01dfa54f30efe4fefde5422d
- hash: b2c8f1402d336963478f4c5bc36c961a
- hash: c17f39d25def01d5c87615388925f45a
- hash: df3437c88866c060b00468055e6fa146
- hash: fc3959ebd35286a82c662dc81ca658cb
- hash: 8a1f2f9baa900ab09dbfed7714948cdf9cbbf50b
- hash: 0bb1e7190c781ce5dd02304511604c225f0b1b5efe9c62583971266ef0b4ff3a
- hash: 47911cb0428f042c2da010ad833cf3830594ecb70cf5d1068ec969751d87647d
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Description
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign, attributed to the Chinese APT group Twill Typhoon, leverages an updated FDMTP backdoor to compromise targets by sideloading malicious DLLs alongside legitimate binaries. The attackers use domains impersonating well-known CDNs to facilitate the delivery of their payloads. The backdoor is a modular .NET-based RAT that enables remote access and control of compromised systems. The campaign was first observed in late September 2025 and involves sophisticated techniques such as DLL sideloading to evade detection. Indicators include a domain (www.icloud-cdn.net) and multiple file hashes associated with the malicious components. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables remote access and control of compromised systems through a modular .NET-based RAT, potentially allowing the adversary to perform reconnaissance, persistence, and data exfiltration. The use of legitimate binaries alongside malicious DLLs may help evade detection and facilitate stealthy operations. While the campaign is active, there is no evidence of widespread exploitation or public exploits. The impact is medium severity given the remote access capabilities and targeted nature of the campaign.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this campaign. Organizations should monitor for indicators of compromise such as connections to suspicious domains like www.icloud-cdn.net and the presence of known malicious file hashes. Detection and blocking of DLL sideloading techniques and unusual execution patterns related to .NET binaries may help mitigate risk. Follow vendor advisories and threat intelligence updates for any future patches or mitigation recommendations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor"]
- Adversary
- Twill Typhoon
- Pulse Id
- 6a0b6898afd39bdd2dd6f142
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.icloud-cdn.net | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash067fbad4d6905d6e13fdc19964c1ea52 | — | |
hash162f69fe29eb7de12b684e979a446131 | — | |
hash2cd781ab63a00ce5302ed844cfbecc27 | — | |
hash482cc72e01dfa54f30efe4fefde5422d | — | |
hashb2c8f1402d336963478f4c5bc36c961a | — | |
hashc17f39d25def01d5c87615388925f45a | — | |
hashdf3437c88866c060b00468055e6fa146 | — | |
hashfc3959ebd35286a82c662dc81ca658cb | — | |
hash8a1f2f9baa900ab09dbfed7714948cdf9cbbf50b | SHA1 of b2c8f1402d336963478f4c5bc36c961a | |
hash0bb1e7190c781ce5dd02304511604c225f0b1b5efe9c62583971266ef0b4ff3a | SHA256 of b2c8f1402d336963478f4c5bc36c961a | |
hash47911cb0428f042c2da010ad833cf3830594ecb70cf5d1068ec969751d87647d | SHA256 of c650a624455c5222906b60aac7e57d48 |
Threat ID: 6a0b6a46ec166c07b0ea1f40
Added to database: 5/18/2026, 7:36:38 PM
Last enriched: 5/18/2026, 7:52:05 PM
Last updated: 5/20/2026, 12:41:47 PM
Views: 135
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.