PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2026-01-27T08:00:42+00:00

HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.

HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

27 Jan 2026

minute read

Table of Contents

  • CoolClient backdoor
  • CoolClient functionalities
  • Parameter modes in second-stage DLL
  • Final stage DLL
  • Clipboard and active windows monitor
  • HTTP proxy credential sniffer
  • C2 command handler
  • 0xFFAABBCC – Beacon and configuration commands
  • 0xFFAABBCD – Operational commands
  • CoolClient plugins
  • ServiceMgrS.dll – Service management plugin
  • FileMgrS.dll – File management plugin
  • RemoteShellS.dll – Remote shell plugin
  • Browser login data stealer
  • Initial infection
  • Variant C analysis
  • Login data stealer’s attribution
  • Document theft and system information reconnaissance scripts
  • 1.bat – System enumeration and data exfiltration batch script
  • Ttraazcs32.ps1 – PowerShell-based collection and exfiltration
  • t.ps1 – Saved login data collection and exfiltration
  • Conclusion
  • Indicators of compromise

Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group’s campaigns were government entities.

As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance.

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. If you are interested, please contact intelreports@kaspersky.com.

CoolClient backdoor

An early version of the CoolClient backdoor was first discovered by Sophos in 2022, and TrendMicro later documented an updated version in 2023. Fast forward to our recent investigations, we found that CoolClient has evolved quite a bit, and the developers have added several new features to the backdoor. This updated version has been observed in multiple campaigns across Myanmar, Mongolia, Malaysia and Russia where it was often deployed as a secondary backdoor in addition to PlugX and LuminousMoth infections.

In our observations, CoolClient was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules. These modules relied on DLL sideloading as their primary execution method, which required a legitimate signed executable to load a malicious DLL. Between 2021 and 2025, the threat actor abused signed binaries from various software products, including BitDefender, VLC Media Player, Ulead PhotoImpact, and several Sangfor solutions.

[Variants of CoolClient abusing different software for DLL sideloading (2021–2025)]

Variants of CoolClient abusing different software for DLL sideloading (2021–2025)

The latest CoolClient version analyzed in this article abuses legitimate software developed by Sangfor. Below, you can find an overview of how it operates. It is worth noting that its behavior remains consistent across all variants, except for differences in the final-stage features.

[Overview of CoolClient execution flow]

Overview of CoolClient execution flow

However, it is worth noting that in another recent campaign involving this malware in Pakistan and Myanmar, we observed that HoneyMyte has introduced a newer variant of CoolClient that drops and executes a previously unseen rootkit. A separate report will be published in the future that covers the technical analysis and findings related to this CoolClient variant and the associated rootkit.

CoolClient functionalities

In terms of functionality, CoolClient collects detailed system and user information. This includes the computer name, operating system version, total physical memory (RAM), network details (MAC and IP addresses), logged-in user information, and descriptions and versions of loaded driver modules. Furthermore, both old and new variants of CoolClient support file upload to the C2, file deletion, keylogging, TCP tunneling, reverse proxy listening, and plugin staging/execution for running additional in-memory modules. These features are still present in the latest versions, alongside newly added functionalities.

In this latest variant, CoolClient relies on several important files to function properly:

********

Parameter modes in second-stage DLL

FilenameDescription
Sang.exeLegitimate Sangfor application abused for DLL sideloading.
libngs.dllMalicious DLL used to decrypt loader.dat and execute shellcode.
loader.datEncrypted file containing shellcode and a second-stage DLL. Parameter checker and process injection activity reside here.
time.datEncrypted configuration file.
main.datEncrypted file containing shellcode and a third-stage DLL. The core functionality resides here.

CoolClient typically requires three parameters to function properly. These parameters determine which actions the malware is supposed to perform. The following parameters are supported.

********

ParameterActions
No parameter·        CoolClient will launch a new process of itself with the install parameter. For example: Sang.exe install.

| install | CoolClient decrypts time.dat.
Adds new key to the Run registry for persistence mechanism.
Creates a process named write.exe.
Decrypts and injects loader.dat into a newly created write.exe process.
Checks for service control manager (SCM) access.
Checks for multiple AV processes such as 360sd.exe, zhudongfangyu.exe and 360desktopservice64.exe.
Installs a service named media_updaten and starts it.
If the current user is in the Administrator group, creates a new process of itself with the passuac parameter to bypass UAC. |
| work | Creates a process named write.exe.
Decrypts and injects loader.dat into a newly spawned write.exe process. |
| passuac | Bypasses UAC and performs privilege elevation.
Checks if the machine runs Windows 10 or a later version.
Impersonates svchost.exe process by spoofing PEB information.
Creates a scheduled task named ComboxResetTask for persistence. The task executes the malware with the work parameter.
Elevates privileges to admin by duplicating an access token from an existing elevated process. |

Final stage DLL

The write.exe process decrypts and launches the main.dat file, which contains the third (final) stage DLL. CoolClient’s core features are implemented in this DLL. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. If they are, CoolClient creates a new thread for each specific functionality. It is worth noting that the clipboard stealer and HTTP proxy credential sniffer are new features that weren’t present in older versions.

Clipboard and active windows monitor

[...]

Original source

Reply