CoolClient Reloaded: How Mustang Panda’s Evolving Malware Is Hijacking Government Secrets

In the shadowy world of cyber-espionage, few names strike more fear into government IT teams than Mustang Panda. This relentless Chinese hacking group has once again raised the stakes, rolling out a sophisticated new version of its CoolClient backdoor - now armed with powerful infostealers designed to swipe browser credentials and silently monitor computer activity. The latest campaign, uncovered by Kaspersky, reveals not only technical ingenuity, but also a relentless drive to adapt and evade detection.

Mustang Panda, a cyber-espionage collective active since at least 2022, has long favored multi-stage backdoors like PlugX and LuminousMoth. But the group’s latest CoolClient variant marks a chilling escalation. According to Kaspersky, the malware can now steal browser login data, track clipboard activity, and deploy an as-yet-unseen rootkit - though full technical details are still under wraps.

What sets this campaign apart is its cunning use of legitimate software installers to ferry malicious payloads past security defenses. In recent attacks, CoolClient was smuggled into government computers via trusted Sangfor products, as well as through classic DLL side-loading tricks abusing well-known signed binaries like Bitdefender and VLC Media Player. Once inside, the malware launches a multi-stage attack, gathering system information, escalating privileges, and burrowing deep into Windows through registry modifications and new service creation.

The malware’s modular design is particularly dangerous. Core features - system profiling, keylogging, file operations, and TCP tunneling - have been upgraded to include real-time clipboard surveillance and credential theft from HTTP proxies. The plugin ecosystem has also expanded, granting attackers remote shell access and granular control over Windows services and files. Notably, infostealers now target a range of browsers: Chrome, Edge, and any Chromium-based browser, quietly copying login data to temporary files for exfiltration.

Evading detection remains a Mustang Panda specialty. The group now uses hardcoded tokens to upload stolen data directly to public cloud services like Google Drive and Pixeldrain, sidestepping traditional security monitoring. This operational shift underscores Mustang Panda’s ongoing evolution and its status as one of the world’s most prolific cyber threats - recently singled out by Taiwan’s National Security Bureau for its high-volume attacks on critical infrastructure.

As Mustang Panda continues to refine its digital arsenal, government agencies and cybersecurity professionals across Asia and beyond find themselves locked in a high-stakes cat-and-mouse game. With each new malware variant, the line between trusted applications and malicious payloads blurs further - reminding us that in the world of cyber-espionage, today’s legitimate software could be tomorrow’s Trojan horse.

WIKICROOK

• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• DLL Side: DLL Side is a technique where attackers trick programs into loading malicious DLL files, bypassing security and gaining unauthorized access or control.
• Infostealer: An infostealer is malware designed to steal sensitive data - like passwords, credit cards, or documents - from infected computers without the user's knowledge.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.