KASPERSKY’S GReAT researchers on 27 January 2026 detailed how HoneyMyte (aka Mustang Panda or Bronze President) has updated its CoolClient backdoor and expanded its toolset in recent campaigns across Asia and Europe, with the group targeting government entities.
The new CoolClient versions add several browser credential stealers and related scripts, including three browser data stealer variants: Variant A targeting Chrome, Variant B targeting Edge, and Variant C targeting Chromium-based browsers via DLL side-loading, with MD5 hashes 1A5A9C013CE1B65ABC75D809A25D36A7, E1B7EF0F3AC0A0A64F86E220F362B149, and DA6F89F15094FD3F74BA186954BE6B05 respectively.
In addition to credential collection, the malware now includes a clipboard and active windows monitor, an HTTP proxy credential sniffer, and a range of plugins such as ServiceMgrS[.]dll, FileMgrS[.]dll and RemoteShellS[.]dll for in-memory operations and remote command execution. The campaign also features batch and PowerShell scripts (1[.]bat, Ttraazcs32.ps1, and t.ps1) used for data collection, compression and exfiltration, with exfiltration routes via FTP and public file-sharing services such as Pixeldrain.
Authors note HoneyMyte’s attribution to ToneShell campaigns and its ongoing emphasis on post-exploitation data theft and surveillance across affected regions.