Cyber: Mustang Panda Deploys Updated Coolclient Backdoor In Government...

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints.

The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia.

Kaspersky, which disclosed details of the updated malware, said it's deployed as a secondary backdoor along with PlugX and LuminousMoth infections.

"COOLCLIENT was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules," the Russian cybersecurity company said. "These modules relied on DLL side-loading as their primary execution method, which required a legitimate signed executable to load a malicious DLL."

Between 2021 and 2025, Mustang Panda is said to have leveraged signed binaries from various software products, including Bitdefender ("qutppy.exe"), VLC Media Player ("vlc.exe" renamed as "googleupdate.exe"), Ulead PhotoImpact ("olreg.exe"), and Sangfor ("sang.exe") for this purpose.

Campaigns observed in 2024 and 2025 have been found to abuse legitimate software developed by Sangfor, with one such wave targeting Pakistan and Myanmar using it to deliver a COOLCLIENT variant that drops and executes a previously unseen rootkit.

COOLCLIENT was first documented by Sophos in November 2022 in a report detailing the widespread use of DLL side-loading by China-based APT groups. A subsequent analysis from Trend Micro officially attributed the backdoor to Mustang Panda and highlighted its ability to read/delete files, as well as monitor the clipboard and active windows.

The malware has also been put to use in attacks targeting multiple telecom operators in a single Asian country in a long-running espionage campaign that may have commenced in 2021, Broadcom's Symantec and Carbon Black Threat Hunter Team revealed in June 2024.

COOLCLIENT is designed for collecting system and user information, such as keystrokes, clipboard contents, files, and HTTP proxy credentials from the host's HTTP traffic packets based on instructions sent from a command-and-control (C2) server over TCP. It can also set up a reverse tunnel or proxy, and receive and execute additional plugins in memory.

These stealers, detected in attacks against

Source: The Hacker News