Hackers spent months deploying malware disguised as trusted Apple and Yahoo infrastructure across Asia-Pacific organizations. Attackers impersonated CDN infrastructure and used legitimate Windows software sideloading to conceal a modular remote access trojan within normal network traffic, making detection difficult for traditional security systems targeting obvious threats.

The campaign, which began in late September 2025, utilized fake domains like yahoo-cdn[.]it[.]com and icloud-cdn[.]net to deliver malicious DLLs through trusted processes including dfsvc.exe and vshost.exe. Researchers observed techniques aligning with moderate confidence to Twill Typhoon, a Chinese threat cluster, though they stopped short of direct government attribution.

The sophisticated attack leveraged legitimate Microsoft .NET processes to hijack execution flow and deliver the FDMTP backdoor framework. Traditional security tools struggled to identify the campaign because recognizable infrastructure names and normal system behavior masked malicious activity, requiring defenders to connect the full execution chain for detection.