HoneyMyte Evolved: Spies Use Pixeldrain & CoolClient for Real-Time Surveillance
Ddos 
Overview of CoolClient execution flow | Image: Kaspersky Labs
The persistent and sophisticated espionage group known as HoneyMyte (also tracked as Mustang Panda or Bronze President) has resurfaced with a dangerous new set of tools. A fresh report from Kaspersky Labs reveals that the group, notorious for targeting government entities across Asia and Europe, has significantly evolved its capabilities in 2025, shifting from simple document theft to active, invasive surveillance.
The group, which has long been a thorn in the side of cybersecurity defenders, has updated its signature CoolClient backdoor and adopted stealthy new exfiltration methods involving public file-sharing services.
For years, HoneyMyte has been synonymous with data theft. However, the latest findings indicate a darker turn in their objectives. The group is no longer just looking for files; they are watching users in real-time.
“These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credential,” the report states.
By deploying scripts capable of keylogging and clipboard monitoring, the attackers can capture sensitive information—such as passwords and encryption keys—that never hits the hard drive.
Central to this new campaign is the evolution of the CoolClient backdoor. Originally identified in 2022, the tool has been retooled for 2025 with advanced features.
“In 2025, we observed HoneyMyte updating its toolset by enhancing the CoolClient backdoor with new features, deploying several variants of a browser login data stealer, and using multiple scripts designed for data theft and reconnaissance,” the report writes.
This updated variant has been spotted in active campaigns across Myanmar, Mongolia, Malaysia, and Russia, often serving as a “secondary backdoor” to ensure persistence if the primary infection is discovered.
Perhaps the most clever adaptation is how HoneyMyte now smuggles stolen data out of victim networks. Rather than sending data directly to a suspicious command-and-control server, they are using legitimate services to blend in.
The report highlights a script that compresses data and uploads it to Pixeldrain, a popular file-sharing site. “This approach highlights Honey Myte’s shift toward using public file-sharing services to covertly exfiltrate sensitive data, especially browser login credentials”.
By piggybacking on trusted APIs, the traffic looks innocuous to many network defense systems, allowing the attackers to steal browser login data right under the nose of security teams.
While the technical upgrades are significant, the targets remain consistent with the group’s history of geopolitical espionage. “Over the past few years, we’ve been observing and monitoring the espionage activities of HoneyMyte… within Asia and Europe, with the Southeast Asia region being the most affected”.
Organizations, particularly those in the government sector, are urged to remain vigilant against this “sophisticated threat actor strategy designed to maintain persistent access”. Defenders should look for signs of the CoolClient backdoor and related malware families like PlugX and ToneShell to prevent becoming the next victim of this high-value surveillance operation.
Related Posts:
- The Ghost in the Kernel: How HoneyMyte Weaponized a Rootkit to Hijack Asian Governments
- China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign
- Mustang Panda Backdoor Exposed: New ToneShell Malware Masquerades as Chrome to Spy on Gov’t & Military
- PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
- ToneShell Backdoor Evolves With Anti-Analysis Tricks, Continues Targeting Myanmar
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
