Threat actors tied to China deployed an updated COOLCLIENT backdoor in 2025 to steal data from infected endpoints across Myanmar, Mongolia, Malaysia and Russia, a technical analysis by Kaspersky said.
KEY FACTS
- Incident Updated COOLCLIENT backdoor deployed in 2025
- Actor Mustang Panda
- Targets Government entities in Myanmar, Mongolia, Malaysia and Russia
- Technique DLL side-loading using legitimate signed binaries
COOLCLIENT was observed as a secondary backdoor used alongside PlugX and LuminousMoth. It was delivered with encrypted loader files that contained configuration data, shellcode and in‑memory DLL modules that rely on DLL side-loading to execute.
Operators abused legitimately signed executables from multiple vendors as loader hosts. Examples include renamed VLC binaries and signed executables from Bitdefender, Ulead PhotoImpact and Sangfor that load malicious DLLs.
The backdoor can capture keystrokes, monitor the clipboard, collect files and harvest HTTP proxy credentials from traffic. It can also set up reverse tunnels and load additional plugins in memory such as service management, file management and a remote shell module.
Attackers also deployed browser credential stealers to extract saved logins from Chromium browsers and in at least one case exfiltrated a Firefox cookie file to cloud storage. The intrusions included additional tools like TONESHELL, a remote access trojan, and a USB worm used for propagation.
WHY IT MATTERS
The updated COOLCLIENT campaigns expand collection beyond documents to active surveillance of user activity and credential harvesting. Organizations in affected regions should review endpoint execution policies and monitor for DLL side-loading and unusual outbound connections.