The attackers impersonated the CDN infrastructure. Image credit: Darktrace
Hackers spent months hiding malware behind fake Apple-themed Internet infrastructure and fake Windows pop-ups to infiltrate organizations in the Asia-Pacific region without raising obvious security alarms. Here’s how they did it.
The malware was disguised as trusted Apple and Yahoo-themed Internet infrastructure. Legitimate Windows software and DLL sideloading hid a modular remote access Trojan within ordinary network traffic.
The activity first appeared in customer networks in late September 2025 and primarily affected organizations in the Asia Pacific region and Japan. Researchers have observed repeated abuse of trusted executables and fake CDN frameworks in enterprise environments.
Attackers impersonated CDN infrastructure linked to major technology brands to make malicious traffic appear legitimate. Trusted Windows binaries and DLL sideloading then launched a modular .NET remoting Trojan.
Repeated use of Yahoo and Apple-themed infrastructure included the domains yahoo-cdn(.)it(.)com and icloud-cdn(.)net. Affected systems downloaded legitimate executables before retrieving corresponding configuration files and malicious DLLs.
Malicious DLLs hijacked trusted processes and executed malware inside them. The observed activity aligns “with moderate confidence” with trade associated with Typhoon Twill, a Chinese threat cluster.
The researchers did not directly attribute the attacks to the Chinese government and noted that several techniques are shared by several China-linked intrusion groups.
Attackers hid malware in the behavior of trusted software
No obvious malicious files were behind the campaign. Legitimate Microsoft .NET and Visual Studio processes, including dfsvc.exe and vshost.exe, allowed the malicious code to blend in with regular Windows activity.
An intrusion chain associated a legitimate Sogou Pinyin executable with a malicious DLL named browser_host.dll. The normal DLL loading behavior allowed attackers to load malicious code into the trusted process and hijack the execution flow.
An updated version of the FDMTP backdoor framework appears to power the payload. Malware gained long-term access to compromised systems through encrypted communications, plugin loading, registry persistence, scheduled tasks, system profiling, and DMTP command and control channels.
Blocklists had difficulty detecting the campaign because recognizable infrastructure names and legitimate system tools made the malicious activity look like normal company traffic. The defenders only saw the pattern clearly after connecting the entire chain of execution.
Behavior mattered more than static indicators
Execution models proved more useful than any malware sample or domain name. Researchers have repeatedly observed that affected systems download a legitimate executable, retrieve a corresponding configuration file, and load a malicious DLL.
Command and control registration tracked through a /GetCluster endpoint using DMTP traffic.
Consistent execution behavior gave defenders a more sustainable way to detect similar activity. The infrastructure and payloads changed over incidents, although the execution model remained stable.
Several technical details suggested a mature operation. Decryption of execution chains, AES-encrypted payload staging, plugin persistence via registry keys, and fallback execution methods support long-term access in different .NET environments.
Published indicators of compromise included malicious DLL hashes, spoofed CDN infrastructure, and activity-connected infrastructure. MITER ATT&CK mappings tied the operation to DLL injection, registry persistence, reflective code loading, scheduled tasks, and command and control traffic.
How Apple Users Can Protect Themselves
Most Apple users won’t directly encounter this sophisticated campaign, but this incident shows how modern malware exploits trusted software and familiar infrastructure names. Fake Apple domains and legitimate traffic can make malicious activity harder to detect with traditional security tools.
Malicious DLLs hijacked trusted processes and executed malware inside them. Image credit: DarktraceKeeping macOS up to date is effective because Apple fixes malware defenses related to Gatekeeper, XProtect, and notarization. Avoid bypassing security prompts to install unsigned applications or developer tools from unknown sources.
Developers and enterprise users face higher risks from supply chain attacks targeting internal software ecosystems and tools. Multi-factor authentication, careful reviews of NPM packages and plugins, and stricter developer account controls reduce exposure.
Network monitoring tools can identify suspicious outbound traffic infiltrating the network. Utilities like Little Snitch give Mac users visibility into applications that connect to external servers.