Kaspersky Flags New HoneyMyte APT Campaigns With Enhanced CoolClient Backdoor

Kaspersky has identified new cyber-espionage campaigns linked to the HoneyMyte advanced persistent threat (APT) group, revealing expanded capabilities in its CoolClient backdoor and the deployment of new credential-stealing tools, according to findings from the company’s Global Research and Analysis Team.

The latest campaigns targeted organizations in Myanmar, Mongolia, Malaysia, Thailand, and Russia, with government entities identified as the primary focus.

CoolClient backdoor gains surveillance upgrades

Kaspersky researchers observed that HoneyMyte has enhanced its CoolClient backdoor with new surveillance features, including clipboard monitoring and active window tracking. These additions allow attackers to capture copied content along with application window titles, process IDs, and timestamps—giving them deeper visibility into user behavior and the context of stolen data.

The updated CoolClient has frequently been deployed as a secondary backdoor, alongside known malware families such as PlugX and LuminousMoth.

DLL side-loading and abuse of trusted software

The backdoor continues to rely on DLL side-loading as its execution method, using legitimate, digitally signed applications to load malicious code. Between 2021 and 2025, HoneyMyte abused signed binaries from multiple trusted software vendors.

In its most recent activity, the group leveraged a signed application from Sangfor, highlighting a continued trend of exploiting trusted software to evade detection.

New techniques for credential and data theft

Kaspersky also identified a new CoolClient capability that allows the extraction of HTTP proxy credentials from network traffic, a technique not previously seen in HoneyMyte operations.

In addition, the threat actor deployed multiple scripts during post-exploitation stages to collect system information, steal documents, and harvest browser-stored credentials. Researchers noted that a newly observed Chrome credential stealer showed code similarities to malware used in the ToneShell campaign, suggesting possible shared development or reuse of tooling.

The presence of several active CoolClient plugins further indicates that the malware supports modular and extensible functionality, allowing attackers to adapt capabilities depending on the target.

Active surveillance now standard in APT operations

“With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting and large-scale file theft, active surveillance is now a standard tactic in the APT playbook,” said Fareed Radzi, security researcher at Kaspersky GReAT.

He added that such techniques now demand the same level of preparedness as traditional threats like data exfiltration and persistence.

Kaspersky published a full technical breakdown of the findings on Securelist, as part of its ongoing monitoring of state-aligned and espionage-focused threat groups.