This dangerous APT has expanded its skills with some new tools - here's what we know

News
By published

Mustang Panda gave CoolClient new bells and whistles

A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
(Image credit: Getty Images)
  • Mustang Panda upgrades CoolClient backdoor with new rootkit and expanded capabilities
  • New features include clipboard monitoring, proxy credential sniffing, and enhanced plugin ecosystem
  • Updated malware used against governments in Asia and Russia for espionage and data theft

Chinese state-sponsored hackers Mustang Panda have upgraded one of their backdoors with new capabilities, potentially making it even more dangerous than ever.

Security researchers at Kaspersky recently spotted the backdoor, called CoolClient, being used in an attack that deployed a brand-new rootkit.

Mustang Panda is a known threat actor, whose activities align perfectly with Chinese national interests: cyber-espionage, data theft, and persistent access. It has a large arsenal of custom tools, including backdoors, RATs, rootkits, and more - including CoolClient, a backdoor that was first seen in 2022 and is usually deployed as a secondary backdoor, alongside PlugX and LuminousMoth.

Clipboard capture and HTTP proxy credential sniffing

Now, even though the legacy variant was dangerous as it was, Mustang Panda decided to give it a facelift, Kaspersky said.

Originally, CoolClient was able to profile and gather system and user details, and record keystrokes. It allowed Mustang panda to upload and delete files, run TCP tunneling and reverse-prosy listening, as well as in-memory execution. It featured different persistence mechanisms, UAC bypasses, and DLL sideloading.

Now, it can monitor the clipboard and capture copied contents (for example, passwords picked up from password managers, or cryptocurrency wallet information stored elsewhere) and enables HTTP proxy credential sniffing. It also has an expanded plugin ecosystem, including a remote shell plugin for interactive command execution, a service management plugin, and a more capable file management plugin.

Furthermore, it allows for credential theft via infostealers, as well as the use of legitimate cloud services for quiet exfiltration of stolen data.

Kaspersky said it saw the updated version of the malware used in attacks against government entities in Myanmar, Mongolia, Malaysia, and Pakistan. It was also found on devices belonging to the Russian government, but that should come as no surprise since China was seen before trying to spy on its allies and partners.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.