The Chinese-related threat family known as Mustang Panda has reupdated its arsenal: Kaspersky researchers have identified a new backdoor variant known as CoolClient that incorporates features designed to steal credentials stored in browsers and monitor the clipboard content. It's a significant evolution of the implant. and its appearance confirms that the group continues to refine both its technical capabilities and its operating methods.
According to the preliminary analysis published by Kaspersky, this expanded version of CoolClient has already been seen in campaigns against government entities in several countries, and on this occasion the attackers resorted to distribution through legitimate software provided by Chinese company Sangfor. The technique of using genuine applications as delivery vector allows operators to scale their scope less likely to be detected by conventional controls; it can be handling in the supply chain or engaged installers that include malicious components. You can consult Kaspersky's report for more context in your initial analysis: Kaspersky Securelist and the company concerned is publicly identified as Sangfor.
CoolClient is not new in the Mustang Panda catalogue: since 2022 it had been observed as a secondary back door operating along with other tools of the group, such as PlugX and LuminousMoth. The malware architecture remains modular and multi-stage, relying on encrypted files (.DAT) that load components as needed. This phase execution and its plugin ecosystem They allow you to perform from basic system recognition to the execution in memory of additional modules without leaving devices easy to trace on disk.
The classic capabilities that persist in recent variants include the collection of equipment information (computer name, OS version, memory, loaded modules), file operations, keylogging, TCP tunnels and reverse proxy functions. To stay in the system, CoolClient uses persistent by changing the Register, creating Windows services and programmed tasks, as well as techniques to evade UAC and scale privileges when necessary. These functions make disposal and containment more complex if not detected soon.
What stands out in the last batch of samples is the inclusion of modules focused on browser information theft - with separate families pointing to Chrome, Edge and other Chromium-based browsers - and a specific component that monitors the clipboard. Also added was the ability to track the title of the active window and a "sniffer" of HTTP proxy credentials that operates by analyzing packages and raw headers. The clear objective is to capture sensitive material that users enter or copy, from credentials to documents.
In addition to the browser infostealers, the plugin platform has been enriched with features that allow you to open interactive remote shells, manage Windows services and perform advanced file operations (search, ZIP compression, network unit mapping and remote execution). The remote shell, for example, creates a hidden cmd.exe process and redirects input and output through the command and control channel, which facilitates the manual execution of orders by the attacker without direct interaction with the user interface. That makes CoolClient a versatile access and exploitation tool rather than a simple data thief..
Another relevant operational change is the way of exfiltration: operators are using embedded tokens API that point to legitimate public services, such as Google Drive or file hosting services, to move stolen data outside the compromised network. Using public platforms with apparently valid traffic is a known technique to dilute alarm signals and complicate the correlation of malicious activity in detection systems.
Researchers also point to indications that CoolClient has been used as a vector to deploy a rootkit never before observed in compromised environments, although the detailed technical description of that component will remain for a subsequent report. The introduction of code in kernel mode dramatically increases the capacity for persistence and concealment and poses a serious challenge for the full recovery of the affected environment.
For defenders and administrators, the conclusion is clear: surveillance must be increased. Review the integrity of installers and software updates, validate signatures and origins, and segment the environments where sensitive software is deployed are measures that help reduce the attack surface. Monitoring changes in the Register, the creation of unexpected services and scheduled tasks, as well as outgoing traffic to cloud storage services, can provide early signs of engagement. At the user level, the protection of credentials with password managers that encrypted the database and the adoption of multifactor authentication are additional barriers to the abuse of stolen credentials. Early detection is crucial to prevent initial access from becoming a persistent intrusion.
The activity observed in this campaign - with government targets in countries such as Myanmar, Mongolia, Malaysia, Russia and Pakistan according to Kaspersky - confirms that Mustang Panda continues to exploit a combination of technical and operational techniques to sustain his espionage capacity. In recent months, other new pieces attributed to the group had been reported, suggesting a sustained effort to maintain and expand its toolkit.
For further details on technical findings and specific commitment indicators, see Kaspersky's preliminary analysis in its publication: Kaspersky Securelist. And if your organization uses third-party software from international suppliers, it is appropriate to audit integrations and updating processes in particular detail, including suppliers such as Sangfor which is mentioned in the research as a vector used in these campaigns.
In short, the update of CoolClient is another sign that persistent espionage groups invest in expanding their collection and stealth capabilities. The combination of infostealers, clipboard monitoring, proxy sniffers and kernel modules represents an advanced threat which forces security teams to review not only the detection of classic malware, but also software management practices, network telemetry and defenses aimed at protecting credentials and sensitive data.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...