New Features in CoolClient
Kaspersky researchers discovered that the CoolClient backdoor, originally seen in 2022, has been revamped with several high‑risk capabilities.
- Clipboard monitoring and automatic capture of copied content, including passwords and cryptocurrency wallet data.
- HTTP proxy credential sniffing to harvest authentication details from network traffic.
- An expanded plugin ecosystem that adds a remote‑shell plugin for interactive command execution, a service‑management plugin, and a more powerful file‑management plugin.
- Support for in‑memory execution and the use of legitimate cloud services for stealthy data exfiltration.
Operational Impact
The upgraded malware has already been observed in active campaigns against government entities across Asia and in devices linked to the Russian government.
- Targets include ministries and agencies in Myanmar, Mongolia, Malaysia and Pakistan.
- Instances found on systems used by Russian governmental bodies, highlighting cross‑regional espionage activity.
Why It Matters
Mustang Panda, a Chinese state‑aligned threat actor, routinely deploys custom tools such as PlugX, LuminousMoth and now an enhanced CoolClient. The new capabilities increase the threat’s ability to harvest sensitive credentials, maintain persistent access, and exfiltrate data without detection, raising the risk for both public sector and private organizations worldwide.