Cybersecurity experts spotted Chinese-linked hackers using an improved backdoor. They call it COOLCLIENT. Mustang Panda targets government systems in several countries for deep spying.
Targets and Campaign Scope
The group hits government entities hard. They focus on Myanmar, Mongolia, Malaysia, and Russia. For example, attacks ran strong in 2025. Therefore, officials face ongoing risks.
Mustang Panda also goes by other names like Earth Preta. They pair COOLCLIENT with older tools like PlugX. Additionally, they use LuminousMoth in some intrusions. This mix boosts their success rate.
Delivery Through Trusted Software
Attackers deliver COOLCLIENT with encrypted loaders. These files hide shellcode and DLLs. However, they rely on DLL side-loading. They use legitimate signed programs to load malicious code.
Between 2021 and 2025, they abused tools from various makers. Examples include media players and security software. In recent waves, they favored one network security firm’s binaries. Consequently, detections stayed low.
COOLCLIENT collects lots of sensitive data. It grabs keystrokes, clipboard text, and files. Moreover, it steals HTTP proxy credentials from network traffic. It follows orders from a remote server over TCP. The backdoor sets up reverse tunnels or proxies. It runs extra plugins directly in memory. For instance, plugins manage services or handle files. Others open remote shells for full control.
Extra Plugins and Stealers
Mustang Panda deploys helpful plugins. One oversees all system services. Another searches, compresses, or deletes files. A third spawns command prompts to run instructions.
They also use separate programs to steal browser credentials. These target Chrome, Edge, and other browsers. In one case, attackers uploaded Firefox cookies to a cloud drive. Therefore, login details fall into wrong hands easily.
Broader Post-Exploitation Tools
The group uses TONESHELL for persistence. It drops other malware like QReverse. This RAT takes screenshots and gathers info. They even spread USB worms called TONEDISK.
Batch and PowerShell scripts help too. They collect system details and grab documents. Researchers see code overlaps with another spyware group. This suggests shared tools among attackers.
Shift to Active Surveillance
These attacks go beyond simple document theft. Hackers monitor user actions closely. For example, they log every keystroke. They watch clipboard changes and proxy logins.
This level of spying helps track targets in real time. Consequently, it supports long-term espionage goals. Experts warn of rising surveillance risks from such groups.
Prevention Strategies
Organizations can defend against these threats with careful steps. First, restrict execution of unknown DLLs and block unusual side-loading. Monitor network traffic for odd TCP connections to unknown servers.
Moreover, use advanced endpoint detection to spot in-memory plugins early. Conduct regular scans for credential stealers and script activity. Strong access controls and user training cut the chance of successful government-targeted intrusions significantly.
Sleep well, we got you covered.
