HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns Source: Securelist (Kaspersky) securelist.com/honeymyte… Over the past several years, researchers have monitored the espionage activities of HoneyMyte, also known as Mustang Panda or Bronze President, across Asia and Europe, with Southeast Asia identified as the most heavily targeted region. Government entities remain the primary targets of the group’s operations. As an advanced persistent threat (APT) group, HoneyMyte employs a diverse and sophisticated toolset to support its campaigns. Known tooling includes ToneShell, PlugX, Qreverse, and CoolClient backdoors, as well as Tonedisk and SnakeDisk USB worms, among others. In 2025, HoneyMyte was observed modernizing its capabilities by enhancing the CoolClient backdoor with additional functionality, deploying multiple variants of browser credential stealers, and leveraging a range of scripts designed to support data theft and reconnaissance activities.
HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns
Edward Kiledjian
@ekiledjian