The HoneyMyte hacker group, also identified as Mustang Panda or Bronze President, has significantly evolved its cyber arsenal, notably enhancing its CoolClient malware to deploy a sophisticated browser login data stealer. This advancement poses a persistent and growing threat to government organizations throughout Asia and Europe, with a particular focus on Southeast Asia.
Recent security research, spanning from 2021 to 2025, has detailed HoneyMyte’s persistent efforts to refine its offensive capabilities. The group’s operations are characterized by the development and deployment of advanced malware designed to pilfer sensitive information from targeted high-value entities. The observed upgrades to the CoolClient backdoor malware and the introduction of new data-stealing tools underscore the group’s commitment to improving its efficacy in espionage operations.
The HoneyMyte threat collective has been observed expanding its toolset, with notable focus on improving the CoolClient backdoor malware. In addition to these upgrades, the group has deployed several variants of a specialized browser login data stealer. Furthermore, HoneyMyte has utilized multiple scripts designed for harvesting confidential documents and gathering critical system details. This evolution clearly demonstrates the group’s dedication to developing more potent tools for data extraction from compromised networks.
The Browser Credential Stealer and Detection Evasion
One of the most significant recent developments from HoneyMyte is the introduction of a new browser credential stealer. This malicious tool is specifically engineered to target and pilfer login information stored within popular web browsers. The group has implemented at least three distinct variants of this stealer, showcasing adaptability to different target environments. Variant A specifically targets Google Chrome, while Variant B focuses on Microsoft Edge. A third variant, Variant C, demonstrates broader applicability by supporting multiple Chromium-based browsers, including Brave and Opera. This flexibility allows attackers to harvest credentials regardless of the specific browser employed by users on compromised systems.
The operational mechanism of this browser credential stealer involves a multi-stage process. It begins by copying the target browser’s crucial login database and configuration files into temporary storage locations on the infected system. Subsequently, the malware leverages built-in Windows security features to decrypt the stored passwords. The attacker gains access to encrypted master keys found within browser files and then employs functions from the Windows Data Protection API to decrypt these keys. This process allows for the reconstruction of complete login records, which include usernames and passwords. Following the successful gathering of this highly sensitive information, the malware proceeds to save the harvested credentials into hidden system folders, preparing them for exfiltration to servers controlled by the attackers.
This advanced capability, when combined with other functionalities such as keylogging and clipboard monitoring, indicates a shift in HoneyMyte’s operational strategy. It suggests a move beyond traditional espionage and towards a more active and pervasive surveillance of victim systems. The group’s persistent refinement of its malware, particularly the CoolClient backdoor and the browser stealer, highlights its determination and ongoing threat to governmental entities.
Security analysts have noted that the malware’s delivery system often relies on DLL sideloading. This technique involves exploiting legitimate software files to load malicious code, thereby evading detection. The malware has been observed in numerous countries, including Myanmar, Mongolia, Malaysia, Russia, and Pakistan. Between 2021 and 2025, HoneyMyte was documented to have abused legitimate applications from well-known vendors such as BitDefender, VLC Media Player, and Sangfor to successfully execute its malicious payloads. This tactic makes it more challenging to distinguish malicious activity from normal system operations.
Given these ongoing threats, organizations operating within government sectors are strongly advised to implement robust detection measures. Maintaining vigilant monitoring for any signs of CoolClient backdoor infections, the presence of browser stealer activity, and related malware families employed by this determined threat actor is crucial. The continuous evolution of HoneyMyte’s tactics and tools necessitates a proactive and adaptive defense strategy to counter their persistent cyber espionage campaigns.