{"id":836,"date":"2026-01-27T09:00:36","date_gmt":"2026-01-27T09:00:36","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/27\/honeymyte-updates-coolclient-and-deploys-multiple-stealers-in-recent-campaigns\/"},"modified":"2026-01-27T09:00:36","modified_gmt":"2026-01-27T09:00:36","slug":"honeymyte-updates-coolclient-and-deploys-multiple-stealers-in-recent-campaigns","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/27\/honeymyte-updates-coolclient-and-deploys-multiple-stealers-in-recent-campaigns\/","title":{"rendered":"HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns"},"content":{"rendered":"
\n

\"\"<\/p>\n

Over the past few years, we\u2019ve been observing and monitoring the espionage activities of HoneyMyte (aka Mustang Panda or Bronze President) within Asia and Europe, with the Southeast Asia region being the most affected. The primary targets of most of the group\u2019s campaigns were government entities.<\/p>\n

As an APT group, HoneyMyte uses a variety of sophisticated tools to achieve its goals. These tools include ToneShell<\/a>, PlugX, Qreverse and CoolClient backdoors, Tonedisk and SnakeDisk USB worms, among others. In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance.<\/p>\n

Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service<\/a>. If you are interested, please contact intelreports@kaspersky.com<\/a>.<\/p>\n

CoolClient backdoor<\/h2>\n

An early version of the CoolClient backdoor was first discovered by Sophos<\/a> in 2022, and TrendMicro<\/a> later documented an updated version in 2023. Fast forward to our recent investigations, we found that CoolClient has evolved quite a bit, and the developers have added several new features to the backdoor. This updated version has been observed in multiple campaigns across Myanmar, Mongolia, Malaysia and Russia where it was often deployed as a secondary backdoor in addition to PlugX and LuminousMoth<\/a> infections.<\/p>\n

In our observations, CoolClient was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules. These modules relied on DLL sideloading as their primary execution method, which required a legitimate signed executable to load a malicious DLL. Between 2021 and 2025, the threat actor abused signed binaries from various software products, including BitDefender, VLC Media Player, Ulead PhotoImpact, and several Sangfor solutions.<\/p>\n

\"Variants<\/a><\/p>\n

Variants of CoolClient abusing different software for DLL sideloading (2021\u20132025)<\/p>\n<\/div>\n

The latest CoolClient version analyzed in this article abuses legitimate software developed by Sangfor. Below, you can find an overview of how it operates. It is worth noting that its behavior remains consistent across all variants, except for differences in the final-stage features.<\/p>\n

\"Overview<\/a><\/p>\n

Overview of CoolClient execution flow<\/p>\n<\/div>\n

However, it is worth noting that in another recent campaign involving this malware in Pakistan and Myanmar, we observed that HoneyMyte has introduced a newer variant of CoolClient that drops and executes a previously unseen rootkit. A separate report will be published in the future that covers the technical analysis and findings related to this CoolClient variant and the associated rootkit.<\/p>\n

CoolClient functionalities<\/h3>\n

In terms of functionality, CoolClient collects detailed system and user information. This includes the computer name, operating system version, total physical memory (RAM), network details (MAC and IP addresses), logged-in user information, and descriptions and versions of loaded driver modules. Furthermore, both old and new variants of CoolClient support file upload to the C2, file deletion, keylogging, TCP tunneling, reverse proxy listening, and plugin staging\/execution for running additional in-memory modules. These features are still present in the latest versions, alongside newly added functionalities.<\/p>\n

In this latest variant, CoolClient relies on several important files to function properly:<\/p>\n\n\n\n\n\n\n\n\n
Filename<\/strong><\/td>\nDescription<\/strong><\/td>\n<\/tr>\n
Sang.exe<\/td>\nLegitimate Sangfor application abused for DLL sideloading.<\/td>\n<\/tr>\n
libngs.dll<\/td>\nMalicious DLL used to decrypt loader.dat and execute shellcode.<\/td>\n<\/tr>\n
loader.dat<\/td>\nEncrypted file containing shellcode and a second-stage DLL. Parameter checker and process injection activity reside here.<\/td>\n<\/tr>\n
time.dat<\/td>\nEncrypted configuration file.<\/td>\n<\/tr>\n
main.dat<\/td>\nEncrypted file containing shellcode and a third-stage DLL. The core functionality resides here.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Parameter modes in second-stage DLL<\/h3>\n

CoolClient typically requires three parameters to function properly. These parameters determine which actions the malware is supposed to perform. The following parameters are supported.<\/p>\n\n\n\n\n\n\n\n
Parameter<\/strong><\/td>\nActions<\/strong><\/td>\n<\/tr>\n
No parameter<\/td>\n\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CoolClient will launch a new process of itself with the install parameter. For example: Sang.exe install.<\/td>\n<\/tr>\n
install<\/td>\n\n
    \n
  • CoolClient decrypts time.dat.<\/li>\n
  • Adds new key to the Run registry for persistence mechanism.<\/li>\n
  • Creates a process named write.exe.<\/li>\n
  • Decrypts and injects loader.dat into a newly created write.exe process.<\/li>\n
  • Checks for service control manager (SCM) access.<\/li>\n
  • Checks for multiple AV processes such as 360sd.exe, zhudongfangyu.exe and 360desktopservice64.exe.<\/li>\n
  • Installs a service named media_updaten and starts it.<\/li>\n
  • If the current user is in the Administrator group, creates a new process of itself with the passuac parameter to bypass UAC.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
work<\/td>\n\n
    \n
  • Creates a process named write.exe.<\/li>\n
  • Decrypts and injects loader.dat into a newly spawned write.exe process.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
passuac<\/td>\n\n