Listen to this Post

Introduction
The advanced persistent threat (APT) group known as HoneyMyte—also tracked as Mustang Panda or Bronze President—has intensified its cyber-espionage operations across Asia and Europe. Long associated with strategic intelligence gathering, the group has now upgraded its malware arsenal, placing a strong emphasis on stealth, persistence, and credential theft. Recent campaigns reveal a refined version of the CoolClient backdoor, enhanced with browser credential stealers, reconnaissance scripts, and expanded surveillance capabilities. These developments signal a broader shift in HoneyMyte’s operational priorities, moving from traditional document theft toward deep, system-level monitoring of targeted environments.
Rising Espionage Activity Across Regions
HoneyMyte’s latest wave of attacks has been observed primarily across Southeast Asia, which remains the most heavily targeted region. Government institutions continue to bear the brunt of these intrusions, reflecting the group’s long-standing focus on geopolitical intelligence. However, activity has also been detected in parts of Europe and across countries including Myanmar, Mongolia, Malaysia, Pakistan, Thailand, and Russia. This geographical spread highlights the group’s expanding reach and sustained operational tempo.
Malware Arsenal and Infection Strategy
HoneyMyte relies on a well-established toolkit that includes the ToneShell rootkit, PlugX and Qreverse backdoors, CoolClient implants, and USB-based worms such as Tonedisk. These components are often deployed together, creating layered persistence and redundancy. In many cases, CoolClient operates as a secondary backdoor, activated after initial access is secured by PlugX or LuminousMoth, ensuring continued control even if one component is detected.
CoolClient’s Evolution Over Time
First documented publicly in 2022, CoolClient has undergone continuous development. Early analyses described it as a relatively straightforward backdoor, but later reports revealed a steady expansion of its feature set. By 2023, it had become an integral companion to other HoneyMyte malware families. In 2025, the latest iteration represents its most mature form yet, blending espionage-focused data theft with active surveillance features traditionally seen in more sophisticated nation-state tools.
Delivery Mechanisms and DLL Sideloading
Attackers distribute CoolClient using encrypted loaders that contain shellcode and malicious DLLs. A key technique is DLL sideloading through legitimate, signed applications. Recent campaigns abused trusted software from vendors such as BitDefender, VLC, Ulead PhotoImpact, and particularly Sangfor security tools dated between 2021 and 2025. This approach allows malicious DLLs to execute under the guise of trusted processes, significantly reducing detection rates.
Abuse of Sangfor Components
The most recent samples exploit Sangfor’s legitimate Sang.exe executable to load a malicious library named libngs.dll. This DLL decrypts configuration and loader files, including loader.dat and time.dat, before executing embedded shellcode. This method not only enhances stealth but also complicates forensic analysis by keeping core payloads encrypted on disk.
Core Files and Their Roles
The CoolClient deployment includes several tightly coordinated files. Sang.exe acts as the trusted loader, while libngs.dll handles decryption and execution. Loader.dat contains shellcode responsible for parameter checks and process injection, and time.dat stores encrypted configuration data. The final payload resides in main.dat, which delivers the third-stage DLL responsible for full backdoor functionality.
Execution Parameters and Persistence Logic
CoolClient supports multiple execution modes controlled by command-line parameters. Without parameters, it triggers an installation routine. In “install” mode, it establishes persistence through Windows Run registry keys, creates a service disguised as media_updaten, and injects malicious code into a helper process such as write.exe. It also checks for specific antivirus processes to adapt its behavior. Additional modes handle active operation, process injection, and UAC bypass on modern Windows systems through task scheduling and process masquerading.
System Reconnaissance Capabilities
Once active, the final-stage DLL gathers extensive system information. This includes the host name, operating system version, memory size, MAC and IP addresses, user accounts, and installed drivers. These details help attackers assess the value of the compromised system and determine next-stage actions.
Legacy Backdoor Functions
CoolClient retains many classic backdoor features that have defined its earlier versions. These include file upload and deletion, keystroke logging, TCP tunneling, reverse proxy support, and a modular plugin system that allows operators to extend functionality on demand. These features ensure flexibility during long-term espionage campaigns.
Newly Added Surveillance Features
The 2025 upgrade introduces significant new monitoring capabilities. A clipboard monitoring module captures copied text using Windows API calls and stores the data in an encrypted file disguised as a system XML. Active window tracking allows attackers to observe user behavior in real time. Another new feature sniffs HTTP proxy traffic, extracting credentials from Proxy-Authorization headers and decoding them from Base64, effectively harvesting network access details.
Command-and-Control Architecture
CoolClient communicates with its command-and-control servers over both TCP and UDP. It uses specific “magic values” to route different categories of commands. Beacon and configuration commands manage status reporting and tasking, while operational commands handle tunneling, proxy setup, file operations, keylogging, clipboard monitoring, and file access. This structured protocol reflects careful design and long-term operational planning.
Plugin-Based Expansion
Several plugins enhance CoolClient’s capabilities. FileMgrS.dll supports advanced file operations such as drive enumeration, compression, and downloading additional tools. ServiceMgrS.dll allows attackers to manage Windows services remotely. RemoteShellS.dll provides a hidden command shell with input and output redirected through named pipes. Reports also indicate a variant that drops a new rootkit, suggesting deeper kernel-level control may soon be observed.
Browser Credential Stealers
Alongside CoolClient, HoneyMyte deploys specialized browser credential stealers. Multiple variants target Chrome, Edge, and other Chromium-based browsers. Some execute directly, while others rely on sideloading techniques. These stealers copy browser databases, decrypt stored credentials using Windows DPAPI, and save the results to local files for exfiltration. Code overlaps link these tools to other HoneyMyte malware families, reinforcing attribution confidence.
Reconnaissance and Theft Scripts
PowerShell and batch scripts play a supporting role in HoneyMyte operations. These scripts download utilities, collect system and network information, harvest documents, compress data into archives, and exfiltrate it via FTP or public file-sharing APIs. They also target saved credentials from browsers and applications such as FileZilla, indicating a broad interest in both personal and enterprise data.
Defensive Recommendations
Defending against HoneyMyte requires a layered security approach. Endpoint detection and response solutions can help identify abnormal process behavior and DLL sideloading. Timely patching of third-party software, particularly Sangfor products, is critical. Network monitoring to detect suspicious outbound connections and blocking known command-and-control infrastructure can further reduce risk.
What Undercode Say:
HoneyMyte’s latest operations reflect a clear evolution from opportunistic espionage toward persistent, surveillance-driven campaigns. The upgraded CoolClient backdoor shows deliberate investment in long-term access rather than quick data grabs. By focusing on clipboard data, active window tracking, and proxy credential theft, the group is positioning itself to observe targets continuously, not just steal documents.
The abuse of trusted security software for DLL sideloading underscores a growing trend among APT groups: turning defensive tools into attack vectors. This tactic exploits implicit trust relationships within enterprise environments, allowing attackers to blend seamlessly into normal operations. It also challenges traditional detection models that rely heavily on reputation-based trust.
The modular design of CoolClient, combined with its plugin ecosystem, suggests HoneyMyte values adaptability above all. Operators can tailor deployments to specific targets, activating only the capabilities needed for each mission. This reduces noise and lowers the risk of exposure, especially in high-value government networks.
The integration of browser credential stealers and reconnaissance scripts highlights a strategic pivot. Rather than relying solely on documents, HoneyMyte appears increasingly interested in credentials, session data, and network access paths. This information can be leveraged for lateral movement, long-term monitoring, or even future operations beyond the initial campaign.
From a broader perspective, HoneyMyte’s activity reinforces the reality that APT groups are not static. They iterate continuously, learning from detections and adapting their tradecraft. Organizations that rely on outdated threat models or static defenses are likely to fall behind. Continuous visibility, behavioral analysis, and threat intelligence sharing are no longer optional—they are foundational requirements.
Fact Checker Results
✅ HoneyMyte is a known APT group also tracked as Mustang Panda and Bronze President.
✅ CoolClient has been publicly documented since 2022 and shows continuous development.
❌ No public confirmation yet on full technical details of the newly mentioned rootkit variant.
Prediction
🔮 HoneyMyte is likely to expand CoolClient’s surveillance features even further, possibly integrating browser session hijacking or cloud service monitoring.
🔮 Increased abuse of trusted enterprise security software for sideloading is expected to continue.
🔮 Government and critical infrastructure targets in Southeast Asia will remain a primary focus, with gradual expansion into Europe.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




