MUSTANG Panda has been observed deploying an updated COOLCLIENT backdoor in government cyber espionage campaigns, with activity attributed to the group in 2025 and directed at entities across Myanmar, Mongolia, Malaysia, and Russia.
According to Kaspersky, COOLCLIENT is deployed as a secondary backdoor alongside PlugX and LuminousMoth infections, and was described as delivering encrypted loader files containing configuration data, shellcode, and in-memory next-stage DLL modules that use DLL side-loading for execution.
The malware is designed to collect system and user information, including keystrokes, clipboard contents, files, and HTTP proxy credentials from HTTP traffic, and it can set up a reverse tunnel or proxy and load additional plugins in memory; plugins include ServiceMgrS[.]dll, FileMgrS[.]dll, and RemoteShellS[.]dll.
Between 2021 and 2025, Mustang Panda reportedly leveraged signed binaries from Bitdefender, VLC Media Player, Ulead PhotoImpact, and Sangfor for these operations, and campaigns in 2024–2025 abused Sangfor software to drop a COOLCLIENT variant that delivers a rootkit. The operation also involves broader tool use such as TONESHELL and related components to establish persistence and drop payloads, with related code similarities noted to a cookie stealer used by LuminousMoth.