HoneyMyte Threat Group Enhances Cyber Espionage Arsenal with Advanced Malware
The HoneyMyte threat group also tracked as Mustang Panda or Bronze President has intensified its cyber espionage campaigns, targeting government organizations across Asia and Europe with upgraded malware tools. Recent research reveals the group’s focus on Southeast Asia, where it has refined its tactics to extract sensitive data from compromised systems.
In 2025, security analysts identified significant enhancements to CoolClient, HoneyMyte’s primary backdoor malware. The group has expanded its toolset with new variants of the malware, leveraging DLL sideloading a technique that abuses legitimate software (including BitDefender, VLC Media Player, and Sangfor) to execute malicious payloads. Campaigns have been detected in Myanmar, Mongolia, Malaysia, Russia, and Pakistan, with government agencies as the primary targets.
Beyond CoolClient, HoneyMyte has deployed specialized browser credential stealers to harvest login data from popular browsers. Three variants have been observed:
- Variant A: Targets Google Chrome
- Variant B: Focuses on Microsoft Edge
- Variant C: Supports Chromium-based browsers (Brave, Opera)
The malware extracts encrypted credentials by copying browser databases, decrypting them using Windows Data Protection API, and exfiltrating the data to attacker-controlled servers. Additional capabilities, such as keylogging and clipboard monitoring, suggest a shift toward active surveillance beyond traditional espionage.
HoneyMyte’s evolving tactics underscore its persistence in refining tools for data theft and system compromise, posing a continued threat to high-value targets in the region.
Source: https://cybersecuritynews.com/honeymyte-hacker-group-updates-coolclient-malware/
Sangfor Technologies cybersecurity rating report: https://www.rankiteo.com/company/sangfor-technologies
Cooperative Computing cybersecurity rating report: https://www.rankiteo.com/company/cooperative-computing
VideoLAN cybersecurity rating report: https://www.rankiteo.com/company/videolan
Bitdefender cybersecurity rating report: https://www.rankiteo.com/company/bitdefender
"id": "SANCOOVIDBIT1769585434",
"linkid": "sangfor-technologies, cooperative-computing, videolan, bitdefender",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Government',
'location': ['Myanmar',
'Mongolia',
'Malaysia',
'Russia',
'Pakistan',
'Asia',
'Europe'],
'type': 'Government Organizations'}],
'attack_vector': ['DLL Sideloading', 'Malware Deployment'],
'data_breach': {'data_encryption': 'Data decrypted using Windows Data '
'Protection API',
'data_exfiltration': 'Yes (to attacker-controlled servers)',
'personally_identifiable_information': 'Likely (browser '
'credentials)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Browser credentials',
'Keylogging data',
'Clipboard data',
'Sensitive government data']},
'date_detected': '2025',
'description': 'The HoneyMyte threat group (also tracked as Mustang Panda or '
'Bronze President) has intensified its cyber espionage '
'campaigns, targeting government organizations across Asia and '
'Europe with upgraded malware tools. Recent research reveals '
'the group’s focus on Southeast Asia, where it has refined its '
'tactics to extract sensitive data from compromised systems. '
'In 2025, security analysts identified significant '
'enhancements to CoolClient, HoneyMyte’s primary backdoor '
'malware, leveraging DLL sideloading to abuse legitimate '
'software (including BitDefender, VLC Media Player, and '
'Sangfor) to execute malicious payloads. The group has also '
'deployed specialized browser credential stealers to harvest '
'login data from Google Chrome, Microsoft Edge, and '
'Chromium-based browsers (Brave, Opera), along with keylogging '
'and clipboard monitoring capabilities.',
'impact': {'data_compromised': 'Sensitive government data, browser '
'credentials, keylogging data, clipboard data',
'identity_theft_risk': 'High (due to credential theft)',
'operational_impact': 'Potential compromise of government '
'operations and surveillance capabilities',
'systems_affected': 'Government systems in Southeast Asia and '
'Europe'},
'initial_access_broker': {'backdoors_established': 'CoolClient backdoor',
'high_value_targets': 'Government agencies in '
'Southeast Asia and Europe'},
'motivation': 'Cyber Espionage, Data Theft',
'post_incident_analysis': {'root_causes': 'Abuse of legitimate software for '
'DLL sideloading, deployment of '
'advanced malware (CoolClient, '
'browser credential stealers)'},
'references': [{'source': 'Security Research'}],
'threat_actor': 'HoneyMyte (Mustang Panda / Bronze President)',
'title': 'HoneyMyte Threat Group Enhances Cyber Espionage Arsenal with '
'Advanced Malware',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Abuse of legitimate software (BitDefender, VLC '
'Media Player, Sangfor)'}