• HoneyMyte upgraded CoolClient backdoor with new features, enhancing persistence and stealth. • The group deployed multiple browser login data stealers across recent campaigns. • Scripts for data theft and reconnaissance were used to expand the threat actor’s footprint. • Primary targets were government entities in Southeast Asia, with significant activity in Myanmar, Malaysia, Mongolia, Russia. • CoolClient was delivered with encrypted loaders, DLL sideloading, and signed binaries from vendors like BitDefender, VLC. • The backdoor often operated alongside PlugX and LuminousMoth infections, increasing persistence.
Article Summaries:
- HoneyMyte, an APT group targeting mainly government entities in Asia and Europe, has upgraded its CoolClient backdoor in 2025. The new version adds features such as enhanced data‑stealing modules, a browser login credential stealer, and additional reconnaissance scripts. Analysts noted the updated CoolClient running alongside PlugX and LuminousMoth infections in campaigns across Myanmar, Mongolia, Malaysia, Russia, Pakistan, and Myanmar. The malware continues to abuse legitimate signed binaries-most recently from Sangfor-to sideload malicious DLLs. A newer variant also drops an unseen rootkit, indicating further evolution of the group’s toolset.
Sources: