Researchers at Darktrace disclosed a China-linked cyberespionage campaign targeting organizations primarily across the Asia-Pacific and Japan region using an updated version of the FDMTP backdoor and DLL sideloading techniques. The activity, which Darktrace linked with moderate confidence to the Twill Typhoon threat cluster, involved infrastructure impersonating content delivery networks associated with companies such as Yahoo and Apple. Investigators observed attackers retrieving legitimate executables, matching configuration files, and malicious DLLs in a staged sequence designed to sideload a modular .NET-based RAT (remote access trojan) inside trusted processes.
In a Thursday blog post, Darktrace identified that the malware framework relied heavily on legitimate Windows components, including ClickOnce and Visual Studio hosting processes, to maintain execution and persistence while evading detection. The updated FDMTP backdoor supported system profiling, remote command execution, registry persistence, scheduled task creation, plugin loading, and encrypted command-and-control communications over DMTP (differentiated mail transfer protocol) and TCP (transmission control protocol).
Researchers also identified plugins capable of manipulating processes, retrieving files, and maintaining long-term persistence through registry modifications and scheduled tasks. The report noted that the campaign reflected a broader China-nexus tradecraft pattern centered on modular intrusion chains, rotating infrastructure, and behavioral consistency rather than dependence on fixed malware indicators.
The Twill Typhoon–linked China‑nexus campaign targeting APJ customers aligns with patterns described in Darktrace’s Chinese-nexus operations report on Crimson Echo last month. In this case, observed modular intrusion chains built on legitimate software and staged payload delivery. Threat actors retrieve legitimate binaries alongside configuration files and malicious DLLs to enable sideloading of a .NET-based RAT.
“Across cases, the same ordered sequence appears: retrieval of a legitimate executable, (2) retrieval of a matching .config file, (3) retrieval of the malicious DLL, (4) repeated DLL downloads over time, and (5) command-and-control (C2) communication,” Darktrace researchers detailed in the post. “The .config file retrieves a malicious binary, while the legitimate binary provides a legitimate process to run it in.”
Darktrace assesses with moderate confidence that this activity aligns with publicly reported Twill Typhoon tradecraft. “The observed use of FDMTP, DLL sideloading, and overlapping infrastructure is consistent with previously observed operations, though not unique to a single actor. While initial access was not directly observed, previous Twill Typhoon campaigns have typically involved spear-phishing.”
The post mentioned that since late September 2025, Darktrace observed multiple customer environments making HTTP GET requests to infrastructure disguised as CDN endpoints impersonating well-known platforms, including Yahoo and Apple. In multiple cases, affected systems downloaded legitimate executables followed by matching configuration files and DLLs intended for sideloading. Researchers noted that this sequence involving a legitimate binary, configuration file, and malicious DLL has previously been associated with China-linked threat actor activity.
Darktrace also observed compromised hosts making outbound requests to a /GetCluster endpoint containing the parameter protocol=Dotnet-Tcpdmtp. The Twill Typhoon activity was frequently followed by retrieval of DLL files later used for search-order hijacking within legitimate processes.
During incidents observed between September and October 2025, Darktrace detected early-stage registration and command-and-control setup activity followed by repeated retrieval of DLL files such as Client.dll from the same external infrastructure over several days, consistent with efforts to establish and maintain the malware execution chain.
Last month, a finance-sector endpoint sent a series of GET requests to yahoo-cdn[.]it[.]com, first downloading legitimate binaries including vshost.exe and dfsvc.exe, then repeatedly retrieving related configuration and DLL files such as dfsvc.exe.config and dnscfg.dll across 11 days. Researchers said the use of both Visual Studio hosting and ClickOnce deployment paths appeared intended to ensure the malware could execute successfully within the targeted environment.
Darktrace researchers identified malware archives containing legitimate executables paired with malicious DLLs designed for sideloading. In one case, attackers used the legitimate Sogou Pinyin IME binary biz_render.exe together with a malicious browser_host.dll to hijack execution flow and run malware within a trusted process.
The campaign also involved downloading additional payload components from attacker-controlled infrastructure, including legitimate Windows ClickOnce and Visual Studio hosting binaries alongside malicious configuration files and encrypted payloads. Researchers said the attackers abused legitimate .NET and hosting processes to decrypt and load malware while maintaining compatibility across different target environments.
Researchers said the dnscfg.dll payload is a heavily obfuscated .NET backdoor identified as Client.TcpDmtp.dll and appears to be an updated version of the FDMTP malware framework. The malware generates much of its logic at runtime and communicates with command-and-control infrastructure over custom TCP and DMTP protocols. Darktrace found the backdoor supports cluster-based host resolution, token validation, structured remote tasking, and persistent execution loops that allow it to receive commands from remote servers.
The malware also uses encrypted runtime string decryption and embeds multiple compressed libraries inside its resources section, including client.core.dll and client.dmtpframe.dll. Researchers said client.core.dll handles system profiling, command-and-control communication, and plugin execution, enabling the malware to collect information such as antivirus products, domain details, hardware identifiers, operating system data, network configuration, and user privileges. The framework also supports both binary and JSON-based plugins, allowing attackers to extend functionality dynamically.
Darktrace found that client.dmtpframe.dll manages DMTP communications, heartbeat and reconnection functions, SSL support, token verification, and persistence through Windows registry modifications under HKCUSoftwareMicrosoftIME{id}. Researchers identified several plugins used during the campaign, including modules for creating scheduled tasks, establishing registry persistence, remotely retrieving files and commands, manipulating processes, and loading the primary malware framework through obfuscated scripts and .NET COM object persistence mechanisms.
Across cases, Darktrace consistently observed the sequence of retrieval of legitimate executables; retrieval of DLLs for sideloading, and C2 registration via /GetCluster. This approach is consistent with broader China-nexus tradecraft. As outlined in Darktrace’s Crimson Echo report, the stable feature of this activity is behavioral. Infrastructure rotates and payloads can change, but the execution model persists.
For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offers a far more durable approach.
