HoneyMyte Hacker Group Enhances CoolClient Malware to Steal Browser Credentials
The HoneyMyte cyber espionage group, also known as Mustang Panda or Bronze President, has intensified its operations against government entities across Asia and Europe. Recent analyses reveal that the group has upgraded its CoolClient malware, incorporating advanced features aimed at extracting sensitive information from compromised systems.
Expansion of CoolClient Capabilities
In 2025, cybersecurity experts observed significant enhancements in HoneyMyte’s toolkit, particularly with the CoolClient backdoor malware. The group has developed multiple variants of CoolClient, each employing different software for DLL sideloading—a technique that leverages legitimate software files to execute malicious code. This method has been utilized between 2021 and 2025, with applications from vendors like BitDefender, VLC Media Player, and Sangfor being exploited to deploy the malware.
The updated CoolClient operates through a multi-stage delivery system, initiating with DLL sideloading to infiltrate target systems. Once inside, it establishes a foothold, allowing for the deployment of additional malicious tools. The malware has been detected in countries including Myanmar, Mongolia, Malaysia, Russia, and Pakistan, indicating a broad geographical reach.
Introduction of Browser Credential Stealer
A notable advancement in HoneyMyte’s arsenal is the development of a browser credential stealer designed to harvest login information from popular web browsers. The group has deployed at least three variants of this stealer:
– Variant A: Targets Google Chrome.
– Variant B: Focuses on Microsoft Edge.
– Variant C: Supports multiple Chromium-based browsers, including Brave and Opera.
This versatility enables the attackers to collect credentials regardless of the browser preference of the user.
The credential stealer functions by copying the target browser’s login database and configuration files to temporary directories. It then utilizes Windows security features to decrypt stored passwords. Specifically, the malware extracts encrypted master keys from browser files and decrypts them using Windows Data Protection Application Programming Interface (DPAPI) functions. This process reconstructs complete login records, including usernames and passwords.
After gathering this sensitive information, the malware saves the harvested credentials to hidden system folders, preparing them for exfiltration to attacker-controlled servers. This capability, combined with other features like keylogging and clipboard monitoring, indicates HoneyMyte’s shift towards active surveillance of victim systems, extending beyond traditional espionage objectives.
Implications and Recommendations
The continuous evolution of HoneyMyte’s tactics underscores the persistent threat posed by state-sponsored cyber espionage groups. Their focus on government agencies in Southeast Asia and beyond highlights the need for heightened cybersecurity measures.
Organizations are advised to implement the following strategies to mitigate the risk of infection:
1. Regular Software Updates: Ensure that all software, especially web browsers and security applications, are up to date to protect against known vulnerabilities.
2. User Education: Train employees to recognize phishing attempts and suspicious activities that could lead to malware infections.
3. Advanced Threat Detection: Deploy security solutions capable of detecting and responding to sophisticated malware, including those utilizing DLL sideloading techniques.
4. Network Segmentation: Implement network segmentation to limit the spread of malware within an organization.
5. Regular Backups: Maintain regular backups of critical data to ensure recovery in the event of a cyberattack.
By adopting these measures, organizations can enhance their resilience against advanced persistent threats like those posed by the HoneyMyte group.
