The HoneyMyte threat group, also known as Mustang Panda or Bronze President, continues to pose a significant risk to government organizations across Asia and Europe. <\/p>\n
Recent security research has revealed that this advanced hacker collective is actively upgrading its digital arsenal with enhanced versions of malware designed to steal sensitive information from targeted systems. <\/p>\n
The group\u2019s operations have been particularly concentrated in Southeast Asia, where government agencies remain the primary targets of their sophisticated campaigns.<\/p>\n
In 2025, security experts discovered that HoneyMyte significantly expanded its toolset by improving the CoolClient backdoor malware<\/a> with new capabilities. <\/p>\n Beyond the CoolClient upgrades, the group deployed several variants of a specialized browser login data stealer and utilized multiple scripts intended for harvesting confidential documents and gathering system details. <\/p>\n This evolution demonstrates the group\u2019s commitment to developing more effective tools for extracting valuable data<\/a> from compromised networks.<\/p>\n Securelist analysts noted<\/a> that the malware operates through a multi-stage delivery system that relies on DLL sideloading, a technique where legitimate software files are hijacked to load malicious code. <\/p>\n The malware has been observed in countries including Myanmar, Mongolia, Malaysia, Russia, and Pakistan. <\/p>\n Between 2021 and 2025, HoneyMyte abused legitimate applications from vendors such as BitDefender, VLC Media Player, and Sangfor to execute its malicious payload.<\/p>\n One of the most concerning developments involves HoneyMyte\u2019s new browser credential stealer, which specifically targets login information stored in popular web browsers. <\/p>\n The group deployed at least three variants of this stealer across different campaigns. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C supports multiple Chromium-based browsers including Brave and Opera.<\/p>\n This flexibility allows attackers to harvest credentials<\/a> regardless of which browser users prefer on compromised machines.<\/p>\n The stealer operates by copying the target browser\u2019s login database and configuration files to temporary folders, then using Windows security features to decrypt stored passwords. <\/p>\n The malware extracts encrypted master keys from browser files, decrypts them using Windows Data Protection Application Programming Interface functions, and reconstructs complete login records containing usernames and passwords. <\/p>\n After gathering this sensitive information, the malware saves the harvested credentials to hidden system folders for later exfiltration to attacker-controlled servers.<\/p>\n This capability, combined with other features like keylogging<\/a> and clipboard monitoring, reveals HoneyMyte\u2019s transition toward active surveillance of victim systems beyond traditional espionage objectives. <\/p>\n Organizations operating in government sectors should implement strong detection measures and maintain vigilant monitoring for signs of CoolClient backdoor infections, browser stealer activity, and related malware families used by this determined threat actor.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post HoneyMyte Hacker Group Updates CoolClient Malware to Deploy Browser Login Data Stealer<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Variants](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj6pl5PMC_nUsKxneN3DFGxvGFdmOYcaYXNCTjwmFWlv4NOd8_KQZRf-azxUkJfG_xFhYPAsD1XRclejvtayn3m2weBeEdrDQCQj_z2U1gt8u0g1mFlIXS2tVYkzkN26k1aVm2E9ZMd23XSgRD0CxsCpGm5OWkIsiBaNe8VEpZ6ilV364fVGcmdRU-P1vY\/s16000\/Variants%2520of%2520CoolClient%2520abusing%2520different%2520software%2520for%2520DLL%2520sideloading%2520%282021%25E2%2580%25932025%29%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
![\"Overview](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOs7CvSuGUQAAKygGJ-EAZW6deQr8H5-TwtuY-pKryAXAMlCihZ5NsXa7Mp4VtpTpy2MRd0-tUA3S6jnNU6ESl1JFSiE0pdB7I6vK1YYRllMunH5r2gaIKqeQKWhXjPOs8QqfEqgYAfsyfyoVv5CDKsxvQ7AB4keTM2dzPWE_rbsfsRUfvL7Vh3zZwuDU\/s16000\/Overview%2520of%2520CoolClient%2520execution%2520flow%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
The Browser Credential Stealer and Detection Evasion<\/strong><\/h2>\n
![\"Function](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiSBWCEbXIkI6-wQQmaPIrhvw-CX7X_24KFRduParuWY9m7mArUNojyMbWgcaaTGTajy7OMvJfKhNx1ANOZLGf6Bpv5bCPkohRs_MzLXpVQPJUqWW_46DLwazbadEcvb0wBn3kOkqfMRtpAMXYb0xBbDDoPGRCRrDMFWxM73EXd_sS1U6zlnSoZ-OfXRsw\/s16000\/Function%2520that%2520copies%2520Chrome%2520browser%2520login%2520data%2520into%2520a%2520temporary%2520file%2520%28chromeTmp%29%2520for%2520exfiltration%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")