Mustang Panda – CoolClient Backdoor Updated with Infostealers

January 28, 2026 Faeem BLOGS 0

The Chinese espionage group Mustang Panda has rolled out a new variant of its CoolClient backdoor, expanding its capabilities to include browser credential theft, clipboard monitoring, and rootkit deployment.

Key Findings

  • Targeted regions: Government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan.
  • Deployment method: Delivered via legitimate Sangfor software (Chinese cybersecurity vendor).
  • Past techniques: DLL side-loading using signed binaries from Bitdefender, VLC Media Player, Ulead PhotoImpact.

CoolClient Capabilities

  • System profiling: Collects OS version, RAM, network info, driver modules.
  • Persistence: Registry modifications, new Windows services, scheduled tasks.
  • Privilege escalation: Supports UAC bypass.
  • Core functions (old + refined):
    • Keylogging.
    • TCP tunneling & reverse proxying.
    • File operations.
    • In-memory plugin execution.

New Features in Latest Variant

  • Clipboard monitoring (captures copied data).
  • Active window title tracking (monitors user activity).
  • HTTP proxy credential sniffing (via raw packet inspection).
  • Expanded plugin ecosystem:
    • Remote shell plugin: Hidden cmd.exe process for interactive commands over C2.
    • Service management plugin: Enumerate, create, start/stop, delete, or modify Windows services.
    • File management plugin: Drive enumeration, file search, ZIP compression, network drive mapping, file execution.

Infostealer Deployment

  • Three families documented:
    • Variant A → Chrome.
    • Variant B → Edge.
    • Variant C → Any Chromium-based browser.
  • Data theft method: Copies login data into temporary local files.
  • Exfiltration: Uses hardcoded API tokens for legitimate services like Google Drive and Pixeldrain to evade detection.

Strategic Context

  • Mustang Panda has been evolving its arsenal:
    • ToneShell backdoor deployed via new kernel-mode loader (Dec 2025).
    • Ranked by Taiwan’s National Security Bureau as one of the most prolific threats to critical infrastructure.
  • Their operational flexibility shows a balance between espionage goals and technical innovation.

Defensive Recommendations

  • Monitor for DLL side-loading with signed binaries.
  • Audit registry and scheduled tasks for persistence indicators.
  • Detect clipboard and proxy sniffing activity in endpoints.
  • Block suspicious API token usage tied to Google Drive/Pixeldrain.
  • Network defense: Watch for hidden reverse shells and encrypted C2 traffic.

Takeaway

Mustang Panda’s CoolClient backdoor has evolved into a multi-functional espionage platform, now capable of credential theft, clipboard monitoring, and stealthy exfiltration via public cloud services. This underscores the group’s adaptability and its focus on government and critical infrastructure targets across Asia and beyond.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.