A Chinese state-sponsored hacking group has quietly supercharged one of its most reliable cyberespionage tools, transforming it from a simple backdoor into a comprehensive surveillance platform that now targets everything from browser passwords to clipboard data.
Kaspersky researchers have uncovered significant upgrades to CoolClient, a backdoor malware deployed by HoneyMyte (also tracked as Mustang Panda or Bronze President) across government networks in Southeast Asia, Russia, Mongolia, and Malaysia. The enhanced version represents a concerning evolution in the group's capabilities.
The updated CoolClient now features capabilities that go well beyond its original design. New additions include clipboard monitoring that captures anything users copy, an HTTP proxy credential sniffer that extracts authentication data from network traffic, and direct integration with browser credential stealers targeting Chrome, Edge, and other Chromium-based browsers.
"These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credentials," Kaspersky researchers noted in their analysis.
The malware operates through a sophisticated three-stage loading process, typically disguising itself by abusing legitimate signed software from companies like BitDefender, VLC Media Player, and Sangfor. This technique, called DLL side-loading, helps the malware evade detection by piggybacking on trusted applications.
Modular Arsenal
CoolClient's plugin architecture allows attackers to deploy specialized modules on demand. Kaspersky identified three distinct plugins: FileMgrS.dll for comprehensive file management, ServiceMgrS.dll for manipulating Windows services, and RemoteShellS.dll for providing direct command-line access to compromised systems.
The attacks don't stop there. HoneyMyte operatives have been observed using PowerShell and batch scripts to systematically harvest documents, browser data, and network credentials before exfiltrating everything to public file-sharing services like Pixeldrain and Google Drive — a tactic that helps blend malicious traffic with legitimate activity.
Organizations should monitor for unusual DLL side-loading activity involving legitimate software, unexpected network connections to cloud storage services, and suspicious PowerShell script execution. Regular credential rotation and browser security hardening remain essential defensive measures against these credential-harvesting campaigns.