Kaspersky researchers have identified significant updates to the toolset of the HoneyMyte APT group (also known as Mustang Panda or Bronze President). The group has evolved its CoolClient backdoor with advanced features, including clipboard monitoring and HTTP proxy credential sniffing, to enhance its surveillance capabilities. These updates have been observed in multiple campaigns across Southeast Asia and Europe, primarily targeting government entities through DLL sideloading techniques.
In addition to the backdoor, the threat actor has deployed a suite of browser login data stealers and custom scripts for reconnaissance. These tools target Chromium-based browsers like Chrome and Edge to harvest saved credentials, while specialized Batch and PowerShell scripts automate the theft of sensitive documents. HoneyMyte has also shifted toward abusing public file-sharing services, such as Pixeldrain, to exfiltrate stolen data covertly, reflecting a sophisticated approach to maintaining persistence and conducting high-value espionage.
Top comments (0)