HONEYMYTE , also known as Mustang Panda or Bronze President, has reappeared with a more invasive surveillance toolkit, according to a Kaspersky Labs report. The group has evolved its CoolClient backdoor for 2025, adding variants of a browser login data stealer and scripts for data theft and reconnaissance, with real-time surveillance capabilities such as keystroke logging and clipboard monitoring.
The campaign has been active in Myanmar, Mongolia, Malaysia, and Russia, often serving as a secondary backdoor to maintain persistence if the primary infection is detected. Analysts note that HoneyMyte now exfiltrates stolen data by piggybacking on legitimate public file‑sharing services, with a script that compresses data and uploads it to Pixeldrain, blending in with normal network traffic.
Targets remain government entities in Asia and Europe, with Southeast Asia described as the most affected region, and defenders are urged to watch for the CoolClient backdoor alongside related malware families like PlugX and ToneShell.