Mustang Panda APT Uses CoolClient Backdoor to Deliver Credential-Stealing Malware

CyberDefender 4 mins0

Mustang Panda — also tracked by some researchers as HoneyMyte (and sometimes linked to China-associated espionage activity) — has been seen using its CoolClient backdoor in updated operations to deploy infostealer modules against targets.

Originally identified in 2022, CoolClient has been a secondary backdoor alongside other implants like PlugX and LuminousMoth.

New Capabilities in the Latest CoolClient Variant

According to the report, the newest CoolClient version adds several enhanced malicious features:

Credential & Clipboard Theft

  • Can steal login credentials stored by browsers.
  • Includes a clipboard monitoring module, capturing copied text.
  • Infostealer components have multiple variants targeting Chrome, Edge, and other Chromium-based browsers.

System Profiling & Data Collection

CoolClient gathers details about the infected system and user, including:

  • Computer name and OS version
  • RAM and network information
  • Versions of loaded drivers/modules

Expanded Plugin Ecosystem

The backdoor now supports modular “plugins” for:

  • Remote shell access (interactive command execution)
  • Service management (start/stop/modify Windows services)
  • File management (search, compress, map network drives)

Stealthy Deployment & Exfiltration

  • Malware is executed via encrypted .DAT files in a multi-stage process.
  • Persistence is achieved through Windows Registry modifications, scheduled tasks, and new services.
  • Uses hardcoded API tokens to exfiltrate stolen data via legitimate public services (e.g., cloud storage), making network detection harder.

Deployment Techniques

Initial Delivery

In recent attacks, Mustang Panda has:

  • Bundled CoolClient into legitimate software installers from Sangfor (a Chinese security and infrastructure vendor) to trick targets into running malicious code.

Previously Used Methods

Earlier campaigns used DLL side-loading, abusing signed binaries from:

  • Bitdefender
  • VLC Media Player
  • Ulead PhotoImpact

These techniques help the backdoor evade detection because the malicious payload is loaded by trusted, digitally signed programs.

Targeting & Threat Scope

Kaspersky researchers observed the updated CoolClient in campaigns targeting government entities across several countries, including:

  • Myanmar
  • Mongolia
  • Malaysia
  • Russia
  • Pakistan

This suggests the campaign is focused on espionage against public sector networks and foreign policy interests, not typical criminal activity.

Why This Matters

  • Modular & stealthy: The plugin design makes CoolClient adaptable and harder to detect.
  • Legitimate software abuse: Using real installers and signed binaries increases success and lowers suspicion.
  • Cloud exfiltration: Using legitimate services for data theft can blend traffic with normal business activity.
  • Government targets: Indicates a strategic espionage intelligence focus rather than opportunistic crime.

What Defenders Should Look For

If you’re defending networks against threats like this:

  1. Monitor for unexpected Registry changes, scheduled tasks, or new Windows services.
  2. Watch network traffic for unusual outbound connections to public storage APIs.
  3. Use endpoint tools to detect DLL side-loading and unexpected use of signed binaries.
  4. Inspect for browser credential exfiltration behavior.

CyberDefender