Chinese espionage group Mustang Panda updated its CoolClient backdoor to a variant that can steal browser login data, monitor the clipboard, and deploy a previously unseen rootkit. The attacks have used legitimate Sangfor software to target government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan while adding new plugins, infostealers for Chromium browsers, and exfiltration via hardcoded Google Drive and Pixeldrain tokens. #MustangPanda #CoolClient #Sangfor #ToneShell #PlugX #LuminousMoth
Keypoints
- Mustang Pandaβs updated CoolClient can steal browser logins, monitor the clipboard, and track active window titles.
- Kaspersky observed a previously unseen rootkit and delivery via legitimate Sangfor software.
- Campaigns targeted government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan.
- New plugins add remote shell, service management, and enhanced file operations alongside existing keylogging and TCP tunneling.
- Infostealers for Chrome, Edge, and other Chromium browsers exfiltrate data using hardcoded Google Drive and Pixeldrain API tokens.