Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor

The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard.

According to Kaspersky researchers, the malware has also been used to deploy a previously unseen rootkit. However, a technical analysis will be provided in a future report.

CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth.

The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products.

Previously, CoolClient operators launched the malware via DLL side-loading by abusing signed binaries from Bitdefender, VLC Media Player, and Ulead PhotoImpact.

Kaspersky researchers say that the CoolClient backdoor gathers details about the compromised system and its users, like computer name, version of the operating system, RAM, network information, and the descriptions and versions of loaded driver modules.

CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation.

CoolClient’s core features are integrated in a DLL embedded in a file called main.dat. “When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled,” the researchers say.

New CoolClient capabilities

The malware’s core functions, including system and user profiling, file operations, keylogging, TCP tunneling, reverse-proxying, and in-memory execution of dynamically fetched plugins, are available in both old and new versions, but are refined in the most recent variants.

What is entirely new in the latest CoolClient is a clipboard monitoring module, the ability to perform active window title tracking, and HTTP proxy credential sniffing that relies on raw packet inspection and headers extraction.

Additionally, the plugin ecosystem has been expanded with a dedicated remote shell plugin, a service management plugin, and a more capable file management plugin.

The service management plugin allows the operators to enumerate, create, start, stop, delete, and modify the startup configuration of Windows services, while the file management plugin provides extended file operations, including drive enumeration, file search, ZIP compression, network drive mapping, and file execution.

Remote shell functionality is implemented via a separate plugin that spawns a hidden cmd.exe process and redirects its standard input and output through pipes, enabling interactive command execution over the command-and-control (C2) channel.

A novelty in CoolClient’s operation is the deployment of infostealers to collect login data from browsers. Kaspersky documented three distinct families targeting Chrome (variant A), Edge (variant B), and a more versatile variant C that targets any Chromium-based browser.

Another notable operational shift is that browser data theft and document exfiltration now leverage hardcoded API tokens for legitimate public services like Google Drive or Pixeldrain to evade detection.

Mustang Panda continues to evolve its toolset and operational characteristics. Last month, Kaspersky reported about a new kernel-mode loader that deployed a variant of the ToneShell backdoor on government systems.

Earlier this month, Taiwan’s National Security Bureau ranked Mustang Panda among the most prolific and high-volume threats targeting its critical infrastructure.