"Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia."
"Kaspersky, which disclosed details of the updated malware, said it's deployed as a secondary backdoor along with PlugX and LuminousMoth infections. "COOLCLIENT was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules," the Russian cybersecurity company said. "These modules relied on DLL side-loading as their primary execution method, which required a legitimate signed executable to load a malicious DLL.""
"Between 2021 and 2025, Mustang Panda is said to have leveraged signed binaries from various software products, including Bitdefender ("qutppy.exe"), VLC Media Player ("vlc.exe" renamed as "googleupdate.exe"), Ulead PhotoImpact ("olreg.exe"), and Sangfor ("sang.exe") for this purpose. Campaigns observed in 2024 and 2025 have been found to abuse legitimate software developed by Sangfor, with one such wave targeting Pakistan and Myanmar using it to deliver a COOLCLIENT variant that drops and executes a previously unseen rootkit."
An updated COOLCLIENT backdoor was used in 2025 cyber espionage operations to exfiltrate comprehensive data from infected endpoints. The intrusions were attributed to Mustang Panda, targeting government entities in Myanmar, Mongolia, Malaysia, and Russia. COOLCLIENT was deployed as a secondary backdoor alongside PlugX and LuminousMoth infections. Delivery used encrypted loader files carrying configuration data, shellcode, and in-memory next-stage DLL modules that executed via DLL side-loading requiring legitimate signed executables. Between 2021 and 2025, signed binaries from Bitdefender, VLC, Ulead PhotoImpact, and Sangfor were abused for DLL side-loading. A 2024–2025 wave abused Sangfor software to deliver a COOLCLIENT variant that dropped a previously unseen rootkit. COOLCLIENT can read and delete files and monitor clipboard and active windows.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]