CoolClient backdoor updated, new data stealing tools used
Essential information
- Published
- 27/01/2026 11:49
- Modified
- 27/01/2026 16:15
- Tags
- 2026-01-27 apt backdoor coolclient credential stealing data theft government luminousmoth plugx qreverse southeast asia toneshell
- Related entities
- 4 observables, 1 intrusion sets (apt), 17 techniques (mitre), 6 malware, 10 others
Description
The HoneyMyte APT group has enhanced its toolset with an updated CoolClient backdoor and new data stealing capabilities. The group targeted government entities in Asia and Europe, particularly Southeast Asia. CoolClient now features clipboard monitoring, HTTP proxy credential sniffing, and plugin support for extended functionality. HoneyMyte also deployed browser login data stealers and document theft scripts. The campaign's focus has shifted towards active surveillance, including keylogging, clipboard data collection, and proxy credential harvesting. Organizations are advised to remain vigilant against HoneyMyte's evolving toolkit, which includes CoolClient, PlugX, ToneShell, Qreverse, and LuminousMoth malware families.