CoolClient Backdoor Updated With Enhanced Espionage Capabilities

Summary

Kaspersky researchers have reported that Mustang Panda, a Chinese-linked advanced persistent threat (APT) group, has released an updated variant of its CoolClient backdoor, significantly expanding its espionage functionality. The latest version introduces the ability to steal browser credentials, monitor clipboard activity, and track active window titles. Researchers also observed the malware being used to deploy a previously undocumented rootkit, with a more detailed technical analysis expected in a forthcoming report.

Since 2022, CoolClient has been attributed to Mustang Panda and is typically deployed as a secondary payload alongside PlugX and LuminousMoth. Recent campaigns have leveraged legitimate Sangfor software and primarily targeted systems outside of the US. There is still a need for continued vigilance, particularly given the group’s historical reliance on DLL side-loading techniques using signed binaries from trusted vendors such as Bitdefender, VLC, and Ulead.

Behavioral Summary

CoolClient operates using a multi-stage execution chain, relying on encrypted .DAT files to maintain persistence through registry modifications, Windows services, scheduled tasks, and various UAC bypass and privilege escalation techniques. The core functionality resides in a DLL embedded within main.dat and supports system reconnaissance, TCP tunneling, reverse proxy operations, keylogging, and in-memory plugin execution.

New Capabilities Introduced in the Latest Variant

Key enhancements observed in the updated CoolClient variant include:

• Clipboard monitoring and active window title tracking
• HTTP proxy credential interception via raw packet inspection
• Browser credential theft targeting Chromium-based browsers, including Microsoft Edge and Google Chrome
• An expanded plugin framework featuring:
  • Remote shell access (hidden cmd.exe sessions over C2)
  • Windows service management, enabling full operational control
  • Advanced file operations, such as file searching, archiving (ZIP), drive mapping, and remote execution

The most notable evolution in this variant is the use of hardcoded API tokens for legitimate cloud services, such as Google Drive, to exfiltrate stolen browser data and documents. This technique enables the attackers to blend malicious activity with legitimate traffic, thereby improving stealth and evasion of traditional security controls.

What DefenseStorm is doing

The DefenseStorm team will continue to monitor additional developments and information regarding this emerging threat. ThreatMatch has been updated with the known IOCs, and will continue to be updated as new IOCs emerge.

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access