HoneyMyte APT Expands Cyber-Espionage Operations with Advanced Malware Upgrades in 2025
The HoneyMyte APT group (also known as Mustang Panda or Bronze President) has intensified its cyber-espionage campaigns across Asia and Europe, with Southeast Asia as the primary target. Active in 2025, the group has significantly upgraded its malware arsenal, focusing on government entities with enhanced tools for data exfiltration and system reconnaissance.
Evolved Malware Capabilities
HoneyMyte’s toolkit includes the ToneShell kernel-mode rootkit, PlugX and Qreverse backdoors, CoolClient backdoor, and Tonedisk/SnakeDisk USB worms. The group has refined existing malware while introducing new post-exploitation tools, particularly the CoolClient backdoor, which has undergone major functional upgrades.
CoolClient Backdoor Enhancements
First identified in 2022, CoolClient has evolved with new features in its 2025 variant, including:
- Clipboard monitoring – Captures user data (window titles, process IDs, timestamps) via
GetClipboardDataandGetWindowTextWAPIs, encrypting logs with XOR (key0xAC) and storing them atC:\ProgramData\AppxProvisioning.xml. - HTTP proxy credential sniffing – Intercepts raw network traffic, extracting Proxy-Authorization headers and decoding Base64-encoded credentials for exfiltration.
- DLL sideloading abuse – Leverages legitimate software (e.g., Sangfor applications, BitDefender, VLC Media Player) to execute malicious payloads.
- Persistence mechanisms – Uses registry modifications and a scheduled task (
ComboxResetTask) for long-term access. - Privilege escalation – Supports UAC bypass via a
passuacmode.
Core functionalities remain, including system reconnaissance, file manipulation, keylogging, TCP tunneling, and reverse proxy operations.
Plugin Ecosystem & Browser Credential Theft
CoolClient now supports three dedicated plugins:
- FileMgrS.dll – Advanced file management.
- RemoteShellS.dll – Remote command execution via hidden
cmd.exeprocesses. - ServiceMgrS.dll – Windows service enumeration and manipulation.
HoneyMyte also deployed three browser credential stealers targeting Chrome, Microsoft Edge, and Chromium-based browsers, extracting saved logins using Windows DPAPI to decrypt master keys. One variant (Variant C) dynamically accepts runtime arguments for flexible targeting across different browser installation paths.
Supporting Tools & Data Exfiltration
The group employs PowerShell and batch scripts for system enumeration and document theft:
- 1.bat – Downloads compression tools, scans networks, collects system data, and exfiltrates via FTP.
- Ttraazcs32.ps1 – Searches for recently modified documents across all drives.
- t.ps1 – Targets browser credential files, compresses data, and uploads to Pixeldrain using hardcoded API tokens.
Impact & Targeting
HoneyMyte’s 2025 operations reflect increased sophistication, with a focus on government networks in Southeast Asia and Europe. The group’s expanded toolset particularly CoolClient’s new credential-stealing and clipboard-monitoring features poses a heightened risk for data breaches and persistent access. Defenders are advised to monitor for CoolClient variants, PlugX, ToneShell, and associated malware families in high-risk regions.
Source: https://gbhackers.com/honeymyte-hacker-2/
Southeast Asia Public Policy Institute cybersecurity rating report: https://www.rankiteo.com/company/southeast-asia-public-policy-institute
"id": "SOU1770159284",
"linkid": "southeast-asia-public-policy-institute",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Government',
'location': ['Southeast Asia', 'Europe'],
'type': 'Government Entities'}],
'attack_vector': ['DLL sideloading',
'Malware deployment',
'Phishing',
'USB worms'],
'data_breach': {'data_encryption': 'XOR (key 0xAC) for logs, Windows DPAPI '
'for browser credentials',
'data_exfiltration': True,
'file_types_exposed': ['Documents',
'Browser credential files'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (government and organizational '
'data)',
'type_of_data_compromised': ['Browser credentials',
'Clipboard data',
'System reconnaissance data',
'Document files']},
'date_detected': '2025',
'description': 'The HoneyMyte APT group (also known as Mustang Panda or '
'Bronze President) has intensified its cyber-espionage '
'campaigns across Asia and Europe, with Southeast Asia as the '
'primary target. Active in 2025, the group has significantly '
'upgraded its malware arsenal, focusing on government entities '
'with enhanced tools for data exfiltration and system '
"reconnaissance. The group's toolkit includes the ToneShell "
'kernel-mode rootkit, PlugX and Qreverse backdoors, CoolClient '
'backdoor, and Tonedisk/SnakeDisk USB worms. CoolClient has '
'evolved with new features such as clipboard monitoring, HTTP '
'proxy credential sniffing, DLL sideloading abuse, persistence '
'mechanisms, and privilege escalation. The group also deployed '
'browser credential stealers targeting Chrome, Microsoft Edge, '
'and Chromium-based browsers.',
'impact': {'data_compromised': 'Government and sensitive organizational data, '
'browser credentials, clipboard data, system '
'reconnaissance data',
'identity_theft_risk': 'High (due to credential theft and PII '
'exposure)',
'operational_impact': 'Persistent access, data exfiltration, '
'system reconnaissance',
'systems_affected': 'Government networks, Windows-based systems'},
'initial_access_broker': {'backdoors_established': ['CoolClient backdoor',
'PlugX',
'Qreverse'],
'high_value_targets': 'Government networks in '
'Southeast Asia and Europe'},
'motivation': 'Cyber-Espionage',
'post_incident_analysis': {'corrective_actions': 'Enhance monitoring for '
'CoolClient variants, '
'implement detection for DLL '
'sideloading, and secure '
'browser credential storage '
'using additional encryption',
'root_causes': 'Advanced malware upgrades, lack of '
'detection for DLL sideloading and '
'clipboard monitoring, insufficient '
'monitoring of HTTP proxy '
'credentials'},
'recommendations': 'Monitor for CoolClient variants, PlugX, ToneShell, and '
'associated malware families in high-risk regions. '
'Implement detection for DLL sideloading, clipboard '
'monitoring, and HTTP proxy credential sniffing.',
'references': [{'source': 'Cybersecurity Threat Intelligence Report'}],
'threat_actor': 'HoneyMyte APT (Mustang Panda / Bronze President)',
'title': 'HoneyMyte APT Expands Cyber-Espionage Operations with Advanced '
'Malware Upgrades in 2025',
'type': 'Cyber-Espionage'}