CoolClient backdoor variant adds browser login theft and clipboard monitoring
Malware Activity
Summary
Hide ▲
Show ▼
The CoolClient backdoor used by Mustang Panda has been updated in a new variant that steals browser login data and monitors the clipboard, adding active window title tracking and HTTP proxy credential sniffing to broaden credential theft on compromised systems. The malware’s toolkit also includes keylogging, TCP tunneling, reverse-proxying, and in-memory execution of dynamically fetched plugins, with newer capabilities for remote shell, service management, and file management. It persists through Registry modifications, Windows services, and scheduled tasks, and has been seen in attacks against government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan. Delivery has included legitimate software from Sangfor and earlier DLL side-loading with signed binaries from Bitdefender, VLC Media Player, and Ulead PhotoImpact.
Related Happenings
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware Activity
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
FDMTP 3.2.5.1 modular backdoor activity in Asia-Pacific and Japan
Malware ActivityAbout this happening: An updated **FDMTP backdoor** variant is active in a **months-long espionage operation** against **Asia-Pacific and Japan** networks, increasing the risk of stealthy remote access...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
DEEP#DOOR Python backdoor framework
Malware Activity
First: 30.04.2026 15:36
Last: 30.04.2026 15:36
Sources 1
About this happening:
**DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
DEEP#DOOR Python backdoor framework
Malware ActivityAbout this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
Timeline
-
28.01.2026 00:26 3 articles · 3mo ago
CoolClient gains browser login theft and clipboard monitoring
Technical Analysis UpdateKaspersky researchers describe a new CoolClient backdoor variant used by Mustang Panda that adds browser login-data theft, clipboard monitoring, active window title tracking, and HTTP proxy credential sniffing, while also expanding the plugin set with remote shell, service management, and file management functions. The updated malware also deploys a previously unseen rootkit, uses encrypted .DAT files in multi-stage execution, persists through Registry modifications, Windows services, and scheduled tasks, and has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan via legitimate software from Sangfor.
Show sources
- Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor — www.bleepingcomputer.com — 28.01.2026 00:26
- Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor — www.bleepingcomputer.com — 28.01.2026 00:26
- Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign — thehackernews.com — 30.03.2026 10:00