The HoneyThe Myte APT group, also referred to as Mustang Panda, has added sophisticated surveillance tools and browser login stealers to its CoolClient backdoor This article explores coolclient 2025 kaspersky. . The governments of Southeast Asia, Myanmar, Mongolia, Malaysia, Russia, Thailand, and Pakistan are the targets of this evolution.

HoneyMyte targets government targets most effectively and concentrates on espionage in Asia and Europe. The group uses USB worms like Tonedisk, PlugX, QReverse, CoolClient backdoors, and ToneShell rootkits. They added browser credential theft, data exfiltration scripts, and reconnaissance capabilities to CoolClient in 2025. Kaspersky's Intelligence Reporting Service contains complete IOCs and details.

Evolution of CoolClient Backdoor In 2022, Sophos discovered an early version of CoolClient; in 2023, Trend Micro examined an update. Recent variations coexist with PlugX and LuminousMoth in multi-stage infections.

CoolClient variations that misuse various programs for DLL sideloading (2021–2025) (Source: SECURELIST) Delivery makes use of signed binaries from BitDefender, VLC, Ulead PhotoImpact, and Sangfor apps (2021-2025) and encrypted loaders with DLL sideloading. The most recent version loads libngs.dll, which decrypts loader.dat, time.dat, and main.dat, by abusing Sangfor's Sang.exe. These contain DLLs and shellcode that can be injected into write.exe processes.

CoolClient execution flow overview (Source: SECURELIST) Sang.exe is the file description. authentic binary for DLL sideloading libraries.dll decrypts and runs the loader.shellcode loader for dat.Process injection time, parameter checker, and shellcode.That Core functionality with encrypted configuration main.dat DLL Persistence and Execution Really coolThe client makes use of parameters like "install," "work," and "passuac": install: injects the loader and sets the persistence of the run key.dat, installs the "media_updaten" service, checks antivirus software (like 360sd.exe), and gets around UAC. work: Write.exe is injected.

Passuac: creates ComboxResetTask, spoofs svchost.exe, and elevates through token duplication. According to Securelist, the final DLL makes keylogging, TCP tunneling, reverse proxy, file operations, new clipboard monitoring (using GetClipboardData/GetWindowTextW), and HTTP proxy credential sniffing from traffic possible. Plugins Increase Capabilities CoolClient uses C2 to stage plugins: Plugin Functions ServiceMgrS.dll Enumerate/start/stop/create/delete services FileMgrS.dll uses TCP/UDP with magic values (such as 0xFFAABBCC for beaconing) to list drives and files, delete, create, move, ZIP, execute, and search.

RemoteShellS.dll hides cmd.exe with I/O redirection to C2. Honey, browser login data stealer post-exploitationMyte sends out thieves following ToneShell/QReverse: Different Target Approach MD5 A Chrome PE32 1A5A9C013CE1B65ABC75D809A25D36A7 B Edge PE32 E1B7EF0F3AC0A0A64F86E220F362B149 C Chromium DLL sideloading DA6F89F15094FD3F74BA186954BE6B05 Variant C outputs to License, decrypts using DPAPI/AES, copies Login Data/Local State, and queries SQLite for credentials.txt. Reused code connects to LuminousMoth.

Scripts facilitate theft: 1.bat: Exfils via FTP, profiles system, curl/rar/nbtscan downloads. Ttraazcs32.ps1: Gathers uploads, RARs, and documents (doc/xls/pdf, <60 days). t.ps1: Unlocks Pixeldrain exfils and Chrome keys.

Keep an eye out for C2s (account.hamsterxnxx[. ]com), DLL sideloading, Sangfor abuse, and services like media_updaten. Use network traffic analysis, script controls, DPAPI monitoring, and behavior detection to defend.