Mustang Panda Upgrades COOLCLIENT With Browser Credential Theft

Mustang Panda has upgraded its COOLCLIENT backdoor with capabilities that go well beyond traditional espionage. Kaspersky researchers published findings this week detailing how the Chinese state-sponsored group added browser credential theft, clipboard monitoring, and HTTP proxy credential sniffing to its long-running implant.

The updated malware has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan throughout 2025.

What's New in COOLCLIENT

COOLCLIENT has been part of Mustang Panda's toolkit since at least 2022, typically deployed alongside PlugX and other implants. The backdoor handles standard remote access tasks: system enumeration, file operations, command execution. What's changed is scope.

The latest variant introduces three capabilities Kaspersky hadn't seen before:

Clipboard monitoring continuously captures copied data. When users copy passwords, cryptocurrency addresses, or sensitive text, the malware intercepts and exfiltrates it. This passive collection requires no user interaction once the backdoor is installed.

Browser credential extraction pulls saved login data from common browsers. Attackers can harvest usernames, passwords, and session cookies without prompting victims to re-enter credentials.

HTTP proxy credential sniffing uses raw packet inspection to extract authentication headers from proxy traffic. Organizations routing web traffic through authenticated proxies may have those credentials compromised even without browser access.

Combined with existing keylogging functionality, COOLCLIENT now operates as both a backdoor and a full-featured infostealer.

Enhanced Plugin Architecture

The backdoor's plugin system has also expanded. Kaspersky documented three new modules:

The remote shell plugin spawns a hidden cmd.exe process and redirects input/output through pipes, enabling interactive command execution over the C2 channel. This gives operators hands-on-keyboard access without needing a separate tool.

A service management plugin lets attackers enumerate, create, start, stop, and delete Windows services. They can also modify startup configurations to ensure persistence survives reboots.

The file management plugin goes beyond basic read/write operations. It supports drive enumeration, file search, ZIP compression, network drive mapping, and execution—essentially a file manager toolkit for post-compromise operations.

Delivery and Evasion

COOLCLIENT operators abuse DLL side-loading through legitimate signed applications. Kaspersky observed the malware delivered via Sangfor, a Chinese company specializing in cybersecurity and cloud computing products. Previous campaigns used signed binaries from Bitdefender, VLC Media Player, and Ulead PhotoImpact.

The backdoor uses encrypted .DAT files in a multi-stage execution chain and achieves persistence through Registry modifications, new Windows services, and scheduled tasks. It also includes UAC bypass and privilege escalation capabilities.

C2 communications pass through multiple layers, with the implant capable of operating through proxies when direct connections aren't possible.

Why This Matters

Mustang Panda—also tracked as HoneyMyte, Bronze President, and Earth Preta—has operated since at least 2012, primarily targeting government organizations and NGOs across Southeast Asia. The group's tooling keeps pace with its operational needs.

The shift from pure espionage capabilities to credential theft and financial data collection is notable. We covered how the group deployed a kernel-mode rootkit to conceal its TONESHELL backdoor in December. That represented an escalation in stealth. This COOLCLIENT update represents an escalation in capability.

Kaspersky researchers characterized the updated toolset as going "far beyond traditional espionage goals like document theft and persistence." When a nation-state group adds infostealer functionality, the line between espionage and financially motivated cybercrime blurs.

Detection and Response

Organizations in the group's target regions should hunt for indicators of COOLCLIENT activity:

1. Monitor for DLL side-loading via legitimate applications, particularly those from Asian software vendors
2. Audit scheduled tasks and services for unexpected entries with generic or random-looking names
3. Watch for encrypted .DAT files appearing in application directories
4. Review outbound connections to unusual destinations, especially traffic matching known C2 patterns

Endpoint detection focused on credential access behaviors—browser database reads, clipboard hooks, LSASS memory access—can catch the infostealer components even when the backdoor itself evades detection.

For organizations dealing with Chinese APT threats generally, the CISA guidance on protecting tokens and assertions from theft provides relevant defensive recommendations for credential protection.