Mustang Panda, also known by aliases such as Earth Preta and HoneyMyte, is a China-affiliated advanced persistent threat (APT) group that has been observed deploying an updated version of the COOLCLIENT backdoor in cyber espionage campaigns throughout 2025. COOLCLIENT is a modular backdoor that uses DLL side-loading techniques to execute malicious payloads under the guise of legitimate signed executables from trusted software vendors like Bitdefender, VLC Media Player, Ulead PhotoImpact, and Sangfor. This technique allows the malware to evade detection by security solutions that trust signed binaries. The malware is typically delivered alongside encrypted loader files containing configuration data, shellcode, and in-memory DLL modules. Once active, COOLCLIENT can perform extensive data theft operations, including capturing keystrokes, clipboard contents, HTTP proxy credentials, and files from infected endpoints. It communicates with its command-and-control (C2) servers over TCP, enabling operators to execute commands, deploy plugins, and establish reverse tunnels or proxies for persistent access. The malware supports plugins such as ServiceMgrS.dll for service management, FileMgrS.dll for file operations, and RemoteShellS.dll for remote command execution. Mustang Panda’s campaigns also involve deploying multiple stealer programs targeting credentials stored in Chromium-based browsers and Mozilla Firefox, exfiltrating data even to cloud services like Google Drive. The group has been linked to additional malware families including TONESHELL, QReverse RAT, and a USB worm named TONEDISK, which facilitate persistence, lateral movement, and further payload deployment. The attacks primarily target government entities across Myanmar, Malaysia, Mongolia, Russia, and neighboring regions, with a focus on espionage and active surveillance of user activity. The malware’s capabilities extend beyond traditional espionage, indicating a shift toward comprehensive monitoring and credential theft. The use of signed binaries for DLL side-loading and the deployment of multiple sophisticated tools highlight Mustang Panda’s advanced operational capabilities and the complexity of their intrusion campaigns.

For European organizations, especially government entities and critical infrastructure, the deployment of COOLCLIENT by Mustang Panda represents a significant espionage threat. The malware’s ability to stealthily execute via signed binaries complicates detection and mitigation efforts, increasing the risk of prolonged undetected intrusions. The comprehensive data theft capabilities, including keystroke logging, clipboard monitoring, and browser credential harvesting, can lead to the compromise of sensitive government communications, classified documents, and user credentials. This could result in loss of confidentiality, enabling adversaries to gain strategic intelligence, influence policy decisions, or disrupt governmental operations. The malware’s modular design and plugin support allow attackers to adapt their tactics, potentially escalating to sabotage or broader network compromise. The use of reverse tunnels and proxies facilitates persistent access and lateral movement within networks, increasing the risk of widespread infection and data exfiltration. Given the geopolitical tensions involving China and Europe, such espionage campaigns could exacerbate diplomatic conflicts and undermine trust in digital government services. Additionally, the targeting of telecom operators and use of USB worms indicate potential risks to critical communication infrastructure in Europe, which could have cascading effects on national security and public safety.

European organizations should implement targeted defenses against DLL side-loading by monitoring and restricting the execution of unsigned or suspicious DLLs loaded by signed executables, especially those known to be abused by Mustang Panda. Application whitelisting should be enforced with strict controls on software execution paths and digital signatures. Endpoint detection and response (EDR) solutions must be tuned to detect anomalous behaviors such as unusual network connections to C2 servers, in-memory execution of DLLs, and the use of uncommon plugins or shell commands. Network segmentation and strict egress filtering can limit the malware’s ability to establish reverse tunnels or exfiltrate data. Regular threat hunting focused on indicators of compromise related to Mustang Panda’s toolset, including known signed binaries abused for side-loading and artifacts from COOLCLIENT plugins, is essential. Credential hygiene should be improved by enforcing multi-factor authentication (MFA) and regularly auditing stored browser credentials. PowerShell and batch script execution should be monitored and restricted to prevent post-exploitation activities. Incident response plans must include procedures for detecting and eradicating advanced persistent threats using stealthy malware like COOLCLIENT. Collaboration with national cybersecurity agencies and sharing of threat intelligence on Mustang Panda’s tactics can enhance collective defense. Finally, organizations should ensure timely patching of software and maintain updated threat intelligence feeds to recognize emerging variants and related malware.