Executive Summary

The Chinese advanced persistent threat group Mustang Panda (also known as HoneyMyte, Bronze President, RedDelta, and TA416) has significantly escalated its cyber-espionage operations by deploying sophisticated infostealer modules through the CoolClient backdoor. This campaign, observed in 2024 and 2025, targets government, diplomatic, and critical infrastructure organizations, primarily across Asia and Eastern Europe. The latest CoolClient variant demonstrates advanced capabilities, including credential theft from major browsers, clipboard monitoring, and stealthy data exfiltration via legitimate cloud services. The attackers employ a multi-stage infection chain, leveraging DLL side-loading and trojanized installers to evade detection and maintain persistence. The evolving tactics, techniques, and procedures (TTPs) of Mustang Panda highlight the urgent need for organizations to enhance their threat detection, incident response, and third-party risk management strategies.

Threat Actor Profile

Mustang Panda is a well-documented Chinese state-aligned APT group active since at least 2017. The group is notorious for targeting government agencies, non-governmental organizations, think tanks, and critical infrastructure, with a focus on Southeast Asia, Central Asia, and, more recently, Eastern Europe. Mustang Panda is characterized by its use of custom malware families, including PlugX, LuminousMoth, and, most notably, CoolClient. The group is adept at leveraging social engineering, spear-phishing, and supply chain attacks, often using legitimate software as a delivery mechanism for its payloads. Its operations are marked by a high degree of operational security, modular malware architectures, and a persistent focus on credential theft and intelligence gathering.

Technical Analysis of Malware/TTPs

The CoolClient backdoor is a modular, multi-stage malware platform that has undergone significant evolution. The infection chain typically begins with DLL side-loading or the use of trojanized installers for legitimate software such as Sangfor, Bitdefender, VLC Media Player, and Ulead PhotoImpact. These methods exploit the trust in signed binaries to bypass security controls.

Upon execution, CoolClient performs extensive system and user profiling, collecting details such as computer name, OS version, installed RAM, network configuration, and loaded drivers. Persistence is established through registry modifications, creation of new Windows services, and scheduled tasks. The malware supports User Account Control (UAC) bypass and privilege escalation, enabling it to operate with elevated permissions.

Payload staging is achieved via encrypted .DAT files, which are decrypted and loaded in memory to avoid detection. The core backdoor features include keylogging, clipboard monitoring, active window title tracking, and HTTP proxy credential sniffing through raw packet inspection. The malware also supports TCP tunneling, reverse-proxying, and in-memory plugin execution, allowing for dynamic extension of its capabilities.

The plugin ecosystem includes a remote shell plugin that spawns a hidden cmd.exe process for interactive command-and-control (C2), a service management plugin for enumerating and manipulating Windows services, and a file management plugin capable of advanced file operations, drive enumeration, ZIP compression, network drive mapping, and file execution.

The most notable innovation in recent campaigns is the deployment of three distinct infostealer modules. Variant A targets Chrome, Variant B targets Edge, and Variant C targets any Chromium-based browser. These modules extract browser login data, copy it to temporary local files, and exfiltrate it using hardcoded API tokens for legitimate cloud services such as Google Drive and Pixeldrain. This approach leverages trusted cloud infrastructure to evade network-based detection and data loss prevention (DLP) controls.

Additionally, researchers have observed the deployment of a previously undocumented rootkit alongside CoolClient, although a comprehensive technical analysis of this component is still pending. The rootkit is believed to provide enhanced stealth and persistence, further complicating detection and remediation efforts.

Exploitation in the Wild

Mustang Panda has actively targeted government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan, with evidence of campaigns extending to other regions. The group employs spear-phishing emails and compromised websites to deliver trojanized installers or initiate DLL side-loading attacks. Once initial access is achieved, CoolClient is deployed, followed by the activation of infostealer modules and, in some cases, the rootkit.

Victims have reported unauthorized access to sensitive documents, credential theft, and the exfiltration of confidential data to cloud storage services. The use of legitimate cloud APIs for data exfiltration has enabled the attackers to blend malicious traffic with normal business operations, significantly reducing the likelihood of detection by traditional security appliances.

Victimology and Targeting

The primary targets of this campaign are government ministries, foreign affairs departments, and critical infrastructure operators in Myanmar, Mongolia, Malaysia, Russia, and Pakistan. Secondary targeting includes diplomatic missions, non-governmental organizations, and research institutions with geopolitical relevance to Chinese state interests. The selection of victims indicates a focus on intelligence gathering, diplomatic strategy, and the monitoring of regional security developments.

The attackers demonstrate a nuanced understanding of their targets' environments, often customizing payloads and infection vectors to exploit specific software stacks and operational workflows. The use of Sangfor installers, for example, suggests a deliberate effort to compromise organizations with Chinese IT infrastructure or those operating in regions where Sangfor products are prevalent.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to counter the advanced TTPs employed by Mustang Panda and the CoolClient backdoor. Key recommendations include:

Continuous monitoring for unauthorized execution of legitimate signed binaries such as Bitdefender, VLC Media Player, and Ulead PhotoImpact in non-standard directories, as this is a hallmark of DLL side-loading attacks. Regular auditing of scheduled tasks and newly created Windows services to identify persistence mechanisms associated with CoolClient. Network monitoring for anomalous outbound connections to cloud storage services, particularly Google Drive and Pixeldrain, which may indicate data exfiltration activity. Implementation of application whitelisting and strict execution policies to prevent unauthorized DLL loading and the execution of trojanized installers. Frequent review of browser credential stores for signs of unauthorized access or export events, especially in environments where Chrome, Edge, or other Chromium-based browsers are in use. Deployment of advanced endpoint detection and response (EDR) solutions capable of identifying in-memory plugin execution, privilege escalation attempts, and rootkit activity. User awareness training to reduce the risk of spear-phishing and social engineering attacks, which remain common initial access vectors for Mustang Panda. Ensuring all software, especially third-party and supply chain components, is sourced from trusted channels and kept up to date with the latest security patches.

References

BleepingComputer: Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor

Kaspersky Securelist: HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Reddit: HoneyMyte updates CoolClient and deploys multiple stealers

MITRE ATT&CK: Mustang Panda

NVD (National Vulnerability Database): NVD

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations stay ahead of emerging threats and regulatory requirements. For more information about how Rescana can help you strengthen your cyber resilience, we are happy to answer questions at ops@rescana.com.