HoneyMyte APT Upgrades CoolClient Backdoor With Browser Credential Theft and Advanced Surveillance

Listen to this Post

Featured Image

Introduction: A Quiet but Dangerous Evolution

The HoneyMyte advanced persistent threat (APT) group, widely tracked as Mustang Panda, has quietly escalated its cyber-espionage operations with a major upgrade to its CoolClient backdoor. This latest evolution shifts the group from traditional backdoor persistence into deeper intelligence gathering, including browser login credential theft, clipboard monitoring, and traffic interception. The campaign continues HoneyMyte’s long-standing focus on government and strategic entities, particularly across Asia, while showing increasing technical maturity and operational confidence.

Targeted Regions and Strategic Focus

HoneyMyte’s recent activity concentrates on government organizations in Southeast Asia, Myanmar, Mongolia, Malaysia, Thailand, Pakistan, and parts of Russia. The group has historically focused on espionage across Asia and Europe, and this campaign reinforces that mission by prioritizing sensitive political, diplomatic, and administrative targets.

A Familiar Arsenal With New Enhancements

The group continues to rely on a recognizable toolkit that includes the ToneShell rootkit, PlugX, QReverse, CoolClient backdoors, and USB-based worms such as Tonedisk. What has changed in 2025 is the depth of post-compromise surveillance, with CoolClient now acting as a modular espionage platform rather than a simple remote access tool.

CoolClient’s Early History

Security researchers first observed CoolClient in 2022, with further analysis of updated variants emerging in 2023. These early versions already demonstrated reliable persistence and command-and-control (C2) communication, but lacked the aggressive credential harvesting now seen in the latest builds.

Multi-Stage Infection Chains

Recent CoolClient deployments appear within complex, multi-stage infection chains that often include PlugX and LuminousMoth malware. These chains are designed to frustrate detection by separating initial access, payload decryption, and final execution into distinct stages.

Abusing Legitimate Software for Delivery

HoneyMyte relies heavily on DLL sideloading through trusted, signed binaries. Over multiple campaigns between 2021 and 2025, attackers abused legitimate executables from vendors such as BitDefender, VLC, Ulead PhotoImpact, and Sangfor to load malicious DLLs without triggering security alerts.

Sangfor Abuse in the Latest Variant

The most recent CoolClient variant abuses Sangfor’s legitimate Sang.exe binary to sideload a malicious DLL named libngs.dll. This DLL decrypts and executes multiple encrypted data files that collectively form the backdoor’s core functionality.

File Structure and Execution Flow

Several encrypted components work together during execution:

loader.dat contains shellcode responsible for parameter validation and process injection.

time.dat stores encrypted configuration data.

main.dat holds the primary CoolClient DLL implementing surveillance features.

Process Injection Tactics

Once decrypted, the payload injects malicious code into legitimate processes such as write.exe. This approach allows CoolClient to blend into normal system activity while maintaining long-term access.

Installation and Persistence Mechanisms

CoolClient accepts runtime parameters including install, work, and passuac, each triggering different behaviors. During installation, the malware establishes persistence via Windows Run registry keys, installs a service named media_updaten, checks for antivirus processes, and attempts to bypass User Account Control (UAC).

Privilege Escalation Techniques

The passuac parameter enables privilege escalation by spoofing system binaries like svchost.exe, creating scheduled tasks such as ComboxResetTask, and duplicating access tokens to gain elevated privileges.

Core Surveillance Capabilities

Once active, CoolClient enables keylogging, file operations, TCP tunneling, reverse proxy functionality, and covert data exfiltration. These capabilities allow attackers to maintain full control over infected systems.

Clipboard and Traffic Monitoring

Newly added features include clipboard monitoring through Windows API calls such as GetClipboardData and GetWindowTextW. The malware also inspects HTTP proxy traffic to extract authentication credentials in transit.

Plugin-Based Expansion Model

CoolClient supports modular plugins delivered through its C2 infrastructure. This design allows HoneyMyte to dynamically expand functionality without redeploying the main payload.

Service Management Plugin

The ServiceMgrS.dll plugin enables enumeration, creation, deletion, and control of Windows services, giving attackers deep control over system services.

File Management Plugin

Through FileMgrS.dll, operators can browse drives, manipulate files, compress data into ZIP archives, execute files, and search for sensitive documents.

Remote Command Execution

The RemoteShellS.dll plugin provides a hidden command shell with input and output redirected to the attacker’s C2 server, enabling interactive control.

Command-and-Control Communications

CoolClient communicates over TCP and UDP using custom magic values, such as 0xFFAABBCC, to identify beacon traffic and validate instructions from its operators.

Browser Credential Theft Emerges

Following successful compromise, HoneyMyte deploys dedicated browser login stealers. These components are typically dropped after ToneShell or QReverse execution, indicating a clear post-exploitation phase.

Chrome and Edge Targeting

Separate portable executables target Google Chrome and Microsoft Edge, extracting saved credentials directly from browser data stores.

Chromium DLL Sideloading Variant

A third variant targets Chromium-based browsers via DLL sideloading. It copies the browser’s Login Data and Local State files, queries SQLite databases, and decrypts credentials using DPAPI and AES routines.

Output and Exfiltration Methods

Recovered credentials are written to files such as License.txt before being exfiltrated. Code similarities link this stealer to the LuminousMoth malware family, suggesting shared development resources.

Supporting Scripts for Data Theft

Additional scripts automate reconnaissance and exfiltration. Batch files download utilities like curl and rar, PowerShell scripts collect recent documents, and decrypted browser keys are uploaded to public file-sharing services.

Indicators of Compromise

Defenders should watch for suspicious DLL sideloading, abuse of Sangfor software, creation of services like media_updaten, and outbound traffic to known C2 domains such as account.hamsterxnxx[.]com.

Defensive Recommendations

Effective defense requires behavior-based detection, monitoring of DPAPI access, strict script execution controls, and deep network traffic inspection to catch stealthy C2 communications.

What Undercode Say:

A Strategic Shift Toward Full-Spectrum Espionage

The CoolClient upgrade marks a clear transition for HoneyMyte from access maintenance to aggressive intelligence harvesting. Browser credential theft significantly expands the group’s visibility into government networks.

Living-Off-The-Land Excellence

By abusing trusted binaries and signed software, HoneyMyte continues to demonstrate strong operational discipline. This “living-off-the-land” approach reduces detection rates and complicates forensic analysis.

Modular Design Signals Long-Term Campaigns

The plugin-based architecture suggests that HoneyMyte expects prolonged access to its victims. This flexibility allows operators to adapt tooling based on mission objectives without redeploying malware.

Credential Theft as a Force Multiplier

Stolen browser credentials can unlock internal portals, cloud dashboards, and email systems, dramatically increasing the intelligence value of each compromise.

Regional Focus With Global Implications

While the campaign heavily targets Asia, the techniques used are globally applicable. Any organization relying on trusted third-party software faces similar risks.

LuminousMoth Code Reuse Raises Red Flags

Shared code between CoolClient stealers and LuminousMoth reinforces the idea of a tightly coordinated malware ecosystem rather than isolated tools.

Defense Requires Behavioral Visibility

Signature-based defenses alone are insufficient. Detection must focus on abnormal process behavior, DLL loading anomalies, and credential access patterns.

Public Infrastructure Abuse Accelerates Exfiltration

The use of public file-sharing platforms for data exfiltration helps attackers bypass traditional perimeter controls and blend into normal traffic.

CoolClient Is No Longer “Just” a Backdoor

With credential theft, traffic sniffing, and plugin extensibility, CoolClient now functions as a full-featured cyber-espionage framework.

A Warning for Government Networks

This campaign underscores how persistent APT actors refine tools over years, quietly expanding capabilities until detection becomes extremely difficult.

Fact Checker Results

✅ HoneyMyte’s use of DLL sideloading and Sangfor abuse aligns with documented APT tradecraft.

✅ Browser credential theft methods accurately reflect Chromium and DPAPI behavior.

❌ No evidence suggests this campaign targets consumer users; focus remains institutional.

Prediction

🔮 HoneyMyte will likely expand credential theft to cloud-based authentication tokens.

🔮 Future CoolClient plugins may target email clients and VPN software.

🔮 Increased collaboration between Mustang Panda and related malware families is expected.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon