Mustang Panda Revisited Malware Upgrade

Mustang Panda Revisited Upgraded CoolClient Malware to Steal Browser Login

The name of Mustang Panda or HoneyMyte may be familiar to cybersecurity followers, because over the past year, a group of hackers have attacked Thai government agencies with malware that, once embedded into the system, can spread through a USB drive, and this time the hackers have returned.

According to a report by the website Cyber Press, it discusses the return of hackers from China, Mustang Panda, in late 2025, along with the upgrading of CoolClient malware, a type of system back door or backdoor malware, with new features that make it easier to steal login data from web browsers. Of course, this group of hackers continues to focus its attacks on Southeast Asian countries such as Myanmar, Malaysia and Thailand. It also attacks other countries such as Mongolia, Pakistan, and Russia.

CoolClient malware is not new because it has been detected since 2022, according to Sophos, a company that develops anti-malware tools for enterprises, and has been confirmed by Trend Micro, another anti-malware developer, that the malware exists. During that time, the malware served as a secondary backdoor to PlugX and LuminousMoth malware.

To send this malware into the victim's machine, hackers originally used Shellcode-encrypted loader and malware DLL files as a malware transmitter by luring properly-signed applications such as BitDefender, VLC, Ulead PhotoImpact, and Sangfor as a malware DLL loader. This is a method of attack called DLL Sideloading. For the latest version, the malware uses Sangfor's Sang.exe to load a DLL file called libngs.dll. By loading it, it leads to decryption. (Decoding) The settings files of the malware are named loader.dat and time.dat.

From that step it leads to the implementation of 3 Param parameters (except for the first that is not the implementation of Param), i.e.

No param to lead to "Trigger" Install (install malware)

Install leads to Run Key, creates a write.exe file, shoots the script from loader.dat, sets up a Service called media _ updaten, checks if there is an anti-virus such as 360sd.exe running on the machine)

Work, this Param will be shot into a process called write.exe

Passuac will perform Bypass, UAC (User Account Control), Fake (Spoof) Process svchost PEB, and add a task called ComboxResetTask.

And finally, it loads DLL files inside main.dat, which have a variety of malware capabilities, such as

It stores information about the victim's system, such as the name of the machine, the operating system, and specifications.

Ability to upload and delete files on the machine

TCP Tunneling Implementation

Plug-In implementation of malware

Proxy Reverse Implementation

Keylogging

In addition, in the latest version of the malware, various capabilities have been added, such as

Data observation on ClipBoard with the implementation of the GetClipboardData / GetWindowTextW command and then using XOR-based encoding to C: ProgramDataAppxProvisioning xml

Tracking various Window activations

Data capture via HTTP protocol with HTTP Proxy Sniffer method

The malware, in addition to the early malware capabilities, has three plug-ins:

FileMgrS.dll for managing files on the machine (File Ops)

ServiceMgrS.dll is used to manage various services on board, covering both enum / start / stop / create.

RemoteShellS.dll used to hide cmd.exe with Pipe I / O

Not only that, the malware is also paired (Pair), the malware, together with the web browser data theft malware (Browser Stealer), covering a variety of browsers, e.g.

Chrome, MD5: 1A5A9C013CE1B65ABC75D809A25D36A7

Edge, E1B7EF0F3AC0A0A64F86E220F362B149

Chromium, DA6F89F15094FD3F74BA186954BE6B05

# Trending # Lemon 8 Howtoo # lemon 8 diary # freedomhack # Malware