The HoneyGovernment organizations throughout Asia and Europe are still at serious risk from the Myte threat group, also referred to as Mustang Panda or Bronze President This article explores malware variants coolclient. . This sophisticated hacker collective is actively expanding its digital arsenal with improved malware intended to steal confidential data from targeted systems, according to recent security research.

The group's operations have been concentrated in Southeast Asia, where their sophisticated campaigns continue to primarily target government agencies. Security experts found in 2025 that HoneyMyte had greatly increased the scope of its toolkit by adding new features to the CoolClient backdoor malware.

Variants of CoolClient misusing various programs to sideload DLLs (2021–2025) (Source: Securelist) In addition to the CoolClient upgrades, the team used multiple scripts designed to harvest private documents and collect system information, as well as multiple versions of a specialized browser login data stealer. This development shows the group's dedication to creating more efficient tools for recovering important data from hacked networks. CoolClient execution flow overview (Source: Securelist) According to Securelist analysts, the malware uses DLL sideloading—a technique in which malicious code is loaded by hijacking legitimate software files—as part of a multi-stage delivery system.

Myanmar, Mongolia, Malaysia, Russia, and Pakistan are among the nations where the malware has been detected.

Learn more Cybersecurity Protection against phishing Tools for ethical hacking From 2021 to 2025, HoneyTo carry out its malicious payload, Myte exploited trustworthy programs from suppliers like BitDefender, VLC Media Player, and Sangfor. The Stealer and Detection of Browser Credentials Avoidance HoneyMyte's new browser credential stealer, which targets login credentials kept in widely used web browsers, is one of the most alarming developments. At least three different versions of this stealer were used by the group in various campaigns.

Google Chrome is the target of variant A, Microsoft Edge is the focus of variant B, and several Chromium-based browsers, such as Opera and Brave, are supported by variant C.

A copy-making function Login credentials for the Chrome browser are stored in a temporary file called chromeTmp for exfiltration (Source: Securelist). Because of this flexibility, attackers can obtain credentials on compromised machines regardless of the browser that users prefer. The target browser's login database and configuration files are copied to temporary folders by the thief, who then uses Windows security features to decrypt stored passwords.

The malware reconstructs entire login records with usernames and passwords after extracting encrypted master keys from browser files and decrypting them using Windows Data Protection Application Programming Interface functions. After obtaining this private data, the malware stores the credentials in secret system folders so they can be later exfiltrated to servers under the control of the attacker.

This feature, along with others like keylogging and clipboard monitoring, demonstrates HoneyMyte's shift away from traditional espionage goals and toward active surveillance of victim systems. Government agencies should put robust detection measures in place and keep a close eye out for indications of CoolClient backdoor infections, browser stealer activity, and related malware families utilized by this identified threat actor. LinkedIn and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.