Full Report
Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.
Analysis Summary
# Threat Actor: HoneyMyte
## Attribution & Identity
The actor is identified as HoneyMyte. Known aliases include Mustang Panda and Bronze President.
## Activity Summary
The article summarizes analysis of recent HoneyMyte APT campaigns, focusing on an updated **CoolClient backdoor** and the deployment of new tools and scripts, specifically highlighting the use of **three variants of a browser data stealer**.
## Tactics, Techniques & Procedures
- Use of the updated **CoolClient backdoor**.
- Deployment of new tools and scripts.
- Implementation of browser data stealing capabilities.
- Specific MITRE ATT&CK IDs were not explicitly mentioned in the provided context snippet.
## Targeting
- Sectors: Not explicitly detailed in the context provided, but APT activity generally targets government, defense, and critical infrastructure entities.
- Geography: Not explicitly detailed in the context provided.
- Victims: Not explicitly detailed in the context provided.
## Tools & Infrastructure
- Malware families used:
- **CoolClient** (updated variant).
- Three variants of a **browser data stealer**.
- Infrastructure (C2, domains, IPs): None explicitly detailed in the context provided.
## Implications
HoneyMyte continues to actively develop and update its core malware infrastructure (CoolClient) while enhancing its data exfiltration capabilities, particularly targeting browser data, indicating a persistent focus on credential or sensitive information harvesting.
## Mitigations
- Organizations should prioritize detection and hardening measures against the CoolClient backdoor.
- Implement robust security monitoring for unauthorized data extraction activities focusing on browser profiles and storage.
- (Specific vendor recommendations from the full article would provide more targeted mitigations.)