The HoneyMyte risk group, often known as Mustang Panda or Bronze President, continues to pose a big danger to authorities organizations throughout Asia and Europe.
Latest safety analysis has revealed that this superior hacker collective is actively upgrading its digital arsenal with enhanced variations of malware designed to steal delicate data from focused methods.
The group’s operations have been significantly concentrated in Southeast Asia, the place authorities businesses stay the first targets of their subtle campaigns.
In 2025, safety specialists found that HoneyMyte considerably expanded its toolset by bettering the CoolClient backdoor malware with new capabilities.
Variants of CoolClient abusing totally different software program for DLL sideloading (2021–2025) (Supply – Securelist)
Past the CoolClient upgrades, the group deployed a number of variants of a specialised browser login knowledge stealer and utilized a number of scripts supposed for harvesting confidential paperwork and gathering system particulars.
This evolution demonstrates the group’s dedication to creating more practical instruments for extracting helpful knowledge from compromised networks.
Overview of CoolClient execution stream (Supply – Securelist)
Securelist analysts famous that the malware operates via a multi-stage supply system that depends on DLL sideloading, a method the place official software program recordsdata are hijacked to load malicious code.
The malware has been noticed in international locations together with Myanmar, Mongolia, Malaysia, Russia, and Pakistan.
Between 2021 and 2025, HoneyMyte abused official purposes from distributors akin to BitDefender, VLC Media Participant, and Sangfor to execute its malicious payload.
The Browser Credential Stealer and Detection Evasion
Some of the regarding developments includes HoneyMyte’s new browser credential stealer, which particularly targets login data saved in fashionable internet browsers.
The group deployed no less than three variants of this stealer throughout totally different campaigns. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C helps a number of Chromium-based browsers together with Courageous and Opera.
Operate that copies Chrome browser login knowledge into a brief file (chromeTmp) for exfiltration (Supply – Securelist)
This flexibility permits attackers to reap credentials no matter which browser customers choose on compromised machines.
The stealer operates by copying the goal browser’s login database and configuration recordsdata to non permanent folders, then utilizing Home windows safety features to decrypt saved passwords.
The malware extracts encrypted grasp keys from browser recordsdata, decrypts them utilizing Home windows Information Safety Software Programming Interface features, and reconstructs full login information containing usernames and passwords.
After gathering this delicate data, the malware saves the harvested credentials to hidden system folders for later exfiltration to attacker-controlled servers.
This functionality, mixed with different options like keylogging and clipboard monitoring, reveals HoneyMyte’s transition towards energetic surveillance of sufferer methods past conventional espionage targets.
Organizations working in authorities sectors ought to implement sturdy detection measures and preserve vigilant monitoring for indicators of CoolClient backdoor infections, browser stealer exercise, and associated malware households utilized by this decided risk actor.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
