Threat actors linked to China have been observed using an updated version of the COOLCLIENT backdoor in cyber espionage campaigns primarily targeting government entities. Security researchers at Kaspersky documented significant capability upgrades including clipboard monitoring, browser credential theft, and integration with kernel-mode rootkits.
Threat actor profile
| Attribute | Details |
|---|---|
| Primary name | Mustang Panda |
| Also tracked as | Earth Preta, Fireant, HoneyMyte, Bronze President, Polaris, Twill Typhoon, Basin, Red Delta, Hive0154, Stately Taurus, Camaro Dragon |
| Attribution | Chinese state-sponsored |
| Active since | 2012 |
| Primary targets | Government, diplomatic, defense |
| Geographic focus | Southeast Asia, Europe, North America |
Recent assessment
Taiwan’s National Security Bureau ranked Mustang Panda among the most prolific and high-volume threats targeting its critical infrastructure, reflecting the group’s sustained operational tempo.
COOLCLIENT evolution
The updated COOLCLIENT variant represents a significant capability upgrade from previous versions.
New capabilities
| Feature | Description |
|---|---|
| Clipboard monitoring | Captures clipboard content in real-time |
| Active window tracking | Monitors which applications user interacts with |
| HTTP proxy credential sniffing | Extracts credentials from proxy authentication via packet inspection |
| Browser data theft | Dedicated modules for Chrome, Edge, Chromium browsers |
Core functionality
| Capability | Implementation |
|---|---|
| System reconnaissance | Computer name, OS version, RAM, network info, driver details |
| File operations | Enumeration, exfiltration, manipulation |
| Credential harvesting | Multiple sources including browsers and proxy auth |
| Screenshot capture | Periodic and on-demand |
| Encrypted C2 | Multiple fallback mechanisms |
Persistence mechanisms
COOLCLIENT establishes persistence through multiple redundant methods:
- Registry modifications (Run keys)
- Scheduled task creation
- Windows service installation
- Startup folder placement
The multi-layered approach ensures the backdoor survives reboots and partial remediation attempts.
Browser stealer modules
Kaspersky documented three distinct infostealer variants deployed alongside COOLCLIENT:
| Variant | Target | Capability |
|---|---|---|
| Variant A | Google Chrome | Login data extraction |
| Variant B | Microsoft Edge | Login data extraction |
| Variant C | Any Chromium-based browser | Universal credential theft |
The browser stealers extract:
- Saved passwords
- Session cookies
- Autofill data
- Payment card information
- Browsing history
Kernel-mode rootkit integration
In a significant escalation, Kaspersky observed Mustang Panda deploying ToneShell backdoor through a kernel-mode loader:
“This is the first time we’ve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools.”
Rootkit capabilities
| Capability | Effect |
|---|---|
| Process hiding | Conceals malicious processes from task manager |
| File hiding | Hides malware files from directory listings |
| Network hiding | Conceals C2 connections from monitoring tools |
| Hook evasion | Bypasses user-mode security hooks |
The kernel-mode approach significantly increases detection difficulty and persistence.
Full toolkit
Mustang Panda employs a diverse malware arsenal:
| Tool | Type | Purpose |
|---|---|---|
| COOLCLIENT | Backdoor | Primary C2, data collection |
| ToneShell | Backdoor | Alternative C2, stealth operations |
| PlugX | RAT | Long-standing espionage tool |
| Qreverse | Backdoor | Reverse shell capabilities |
| Tonedisk | USB worm | Air-gapped network propagation |
| SnakeDisk | USB worm | Removable media spreading |
Campaign targeting
Primary targets
| Sector | Examples |
|---|---|
| Government | Ministries, departments, agencies |
| Diplomatic | Embassies, consulates, missions |
| Policy | Think tanks, research institutes |
| Defense | Contractors, suppliers, military |
Geographic focus
| Region | Targeting Intensity |
|---|---|
| Myanmar | Heavy |
| Thailand | Heavy |
| Taiwan | Heavy |
| Mongolia | High |
| Malaysia | High |
| Russia | Moderate |
| Pakistan | Moderate |
| Southeast Asia (general) | High |
| Europe | Moderate |
| North America | Moderate |
Kaspersky observed updated COOLCLIENT versions deployed against government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan during 2025-2026.
Recent campaign timeline
- September 2024: C2 server registration via NameCheap
- February 2025: Suspected campaign initiation
- January 2026: Updated COOLCLIENT variants observed
Attack chain
Initial access
Spear-phishing emails containing:
- Malicious document attachments
- Weaponized archives
- Lure content relevant to target’s role
DLL sideloading technique
COOLCLIENT operators deploy the malware via DLL sideloading by abusing signed binaries from legitimate software vendors:
| Abused software | Vendor | Purpose |
|---|---|---|
| Bitdefender | Security software | Trusted executable |
| VLC Media Player | VideoLAN | Media player binary |
| Ulead PhotoImpact | Corel | Image editor |
| Sangfor products | Chinese IT vendor | Enterprise software |
Kaspersky noted attacks deploying COOLCLIENT via legitimate software from Sangfor, a Chinese company specializing in cybersecurity, cloud computing, and IT infrastructure products.
Execution
- User opens malicious attachment
- Document macro or exploit triggers payload
- COOLCLIENT dropper executes
- Multi-stage loading from encrypted .DAT files
- Persistence established
- C2 communication initiated
Post-compromise
- System reconnaissance
- Credential harvesting
- Browser data theft
- File enumeration and exfiltration
- Lateral movement preparation
Detection indicators
Network indicators
| Type | Indicator |
|---|---|
| C2 domains | Check threat intelligence feeds for current IOCs |
| Traffic patterns | Encrypted traffic to unexpected destinations |
| DNS queries | Queries to known Mustang Panda infrastructure |
| Proxy auth | Unusual proxy authentication attempts |
Host indicators
| Type | Indicator |
|---|---|
| Scheduled tasks | Suspicious task names and execution paths |
| Services | Unknown services with system-level privileges |
| Registry | Run key modifications in HKCU/HKLM |
| Processes | Unusual parent-child relationships |
| Drivers | Unsigned or suspicious kernel drivers |
Defensive recommendations
Immediate actions
| Control | Implementation |
|---|---|
| Block IOCs | Integrate Mustang Panda indicators into security tools |
| Macro restrictions | Disable macros from internet-sourced documents |
| Application whitelisting | Prevent unauthorized executable execution |
| EDR deployment | Behavioral detection for COOLCLIENT patterns |
Detection priorities
- Kernel driver loading — Alert on unsigned driver installation
- Clipboard access — Monitor for unusual clipboard monitoring
- Browser credential access — Detect credential store access from non-browser processes
- Scheduled task creation — Review new scheduled tasks for legitimacy
- Encrypted outbound traffic — Analyze traffic to unusual destinations
Long-term hardening
| Control | Purpose |
|---|---|
| Network segmentation | Limit lateral movement |
| Privileged access management | Reduce credential exposure |
| Email security | Block malicious attachments |
| User training | Spear-phishing awareness |
| Threat intelligence | Stay current on Mustang Panda TTPs |
Context
Mustang Panda’s investment in kernel-mode capabilities and browser credential theft reflects the increasing sophistication of Chinese APT operations. The group’s sustained focus on government and diplomatic targets across Southeast Asia aligns with Chinese strategic interests in the region.
The combination of COOLCLIENT’s comprehensive data collection, ToneShell’s stealthy kernel-mode delivery, and USB worms for air-gapped networks demonstrates a mature operational capability designed to compromise even well-defended targets.
COOLCLIENT history
COOLCLIENT has been associated with Mustang Panda since 2022:
| Period | Activity |
|---|---|
| 2022 | First documented deployment alongside PlugX |
| 2023 | Secondary backdoor role with LuminousMoth |
| 2024 | Continued use in government targeting |
| 2025 | Major capability upgrades (browser theft, clipboard) |
| 2026 | Kernel-mode rootkit integration observed |
The malware’s evolution from basic backdoor to comprehensive espionage platform reflects Mustang Panda’s continued investment in tooling.
Technical details: persistence
COOLCLIENT uses encrypted .DAT files in a multi-stage execution process and achieves persistence through multiple methods:
| Method | Implementation |
|---|---|
| Registry modifications | Run keys in HKCU/HKLM |
| Windows services | New service installation |
| Scheduled tasks | Recurring execution |
| Startup folder | Direct placement |
| UAC bypass | Privilege escalation techniques |
The multi-layered persistence approach ensures survival across reboots and partial remediation attempts.
Organizations in targeted sectors should assume they are of interest to Mustang Panda and implement defenses accordingly. The group’s prolific activity—recognized even by Taiwan’s NSB as a top threat—means encounters are likely for organizations with any connection to Chinese strategic interests.