Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Espionage Campaigns
- Feb 2
- 2 min read
A China-linked threat actor tracked as Mustang Panda has been observed deploying an updated version of the COOLCLIENT backdoor in cyber espionage operations targeting government organizations throughout 2025. The activity primarily affected public sector entities in Myanmar, Mongolia, Malaysia, and Russia and demonstrates a continued evolution toward deeper endpoint surveillance and data exfiltration.
The updated COOLCLIENT malware is typically delivered as a secondary payload following initial compromise with loaders such as PlugX and LuminousMoth. In recent campaigns, the backdoor was deployed via encrypted loader components containing obfuscated configuration data, shellcode, and in-memory DLL modules. Execution relies heavily on DLL side-loading, a technique that abuses legitimate signed executables to load malicious libraries without triggering security controls.

To achieve this, Mustang Panda has repeatedly leveraged trusted binaries from widely used software products. Over multiple campaigns, the group has abused signed executables associated with security software, media players, and enterprise networking tools, renaming them to blend into normal system activity. In more recent operations, legitimate software from Sangfor has been used as a loader, including cases where a previously undocumented rootkit was dropped as part of the infection chain.
Once active, COOLCLIENT establishes communication with a command-and-control server over TCP and provides operators with extensive visibility into the infected host. The backdoor is designed to collect system metadata, user activity, keystrokes, clipboard contents, files, and proxy authentication credentials extracted from HTTP traffic. It also supports reverse tunneling and proxy functionality, allowing attackers to route traffic through victim systems and maintain covert access.
The malware supports a modular plugin architecture that enables on-demand capability expansion. Observed plugins allow operators to manage system services, perform full file system operations, and spawn interactive command shells to execute arbitrary commands and retrieve output. These plugins are loaded directly into memory, reducing artifacts on disk and complicating forensic analysis.
In addition to COOLCLIENT, Mustang Panda has deployed multiple browser credential stealers targeting Chromium-based browsers such as Google Chrome and Microsoft Edge. In at least one observed case, the attackers used command-line tools to exfiltrate Firefox cookie databases directly to cloud storage. These credential theft activities appear to support broader post-exploitation objectives rather than isolated data theft.
The campaigns also made use of additional malware families, including TONESHELL for persistence and payload staging, QReverse for remote access and surveillance, and a USB-propagating worm known as TONEDISK. Analysis of the tooling reveals code overlap between Mustang Panda and other China-aligned clusters, indicating shared development resources or coordinated operations.
The scope and capability set of the updated COOLCLIENT framework indicates a shift beyond traditional document-focused espionage. The combination of keylogging, clipboard monitoring, proxy credential harvesting, and browser data theft reflects an emphasis on continuous user surveillance and long-term intelligence collection.
These operations highlight Mustang Panda’s ongoing focus on government networks in Southeast and East Asia and demonstrate a mature, layered infection strategy that blends trusted software abuse, memory-resident payloads, and modular backdoor functionality to maintain stealth and persistence over extended periods.



Comments