CoolClient
CoolClient is a backdoor/loader family associated with the China-linked espionage group Mustang Panda, also tracked as HoneyMyte, Fireant, Earth Preta, Bronze President, and Stately Taurus. It has been associated with Mustang Panda since at least 2022 and has been observed in sustained cyber-espionage operations against government entities and other high-value targets across Myanmar, Mongolia, Malaysia, Russia, Pakistan, France, South America, and a Southeast Asian government network; one report also linked its use to intrusions against multiple telecom operators in an Asian country.
The malware is commonly delivered through DLL side-loading using legitimate signed software, including binaries from Sangfor, VLC Media Player, Bitdefender, and Ulead PhotoImpact. Reported loader chains include malicious DLLs such as libvlc.dll and sangforvpnlibcrypto-1_1.dll, encrypted payload files such as loader.ja, goopdate.ja, loader.dat, time.dat, and main.dat, and execution via legitimate files such as googleupdate.exe or Sangfor software. Unit 42 reported CoolClient loader samples at C:\ProgramData\GoogleUpdate\libvlc.dll and C:\Users$USER$\AppData\LocalLow\Brother\PrtDrv\sangforvpnlibcrypto-1_1.dll, attempting to load an encrypted payload from c:\programdata\GoogleUpdate\loader.ja. The loader heavily uses anti-disassembly techniques, and some variants rely on the HP-Socket library to maintain flexible multi-protocol client/server communications.
Core capabilities directly reported across the sources include file upload/download and deletion, keystroke logging, clipboard monitoring, active window monitoring, packet tunneling, reverse proxy or reverse tunnel functionality, port map or port information capture, system and user profiling, and in-memory loading/execution of plugins. Reported plugin modules include FileMgrS.dll for file management, RemoteShellS.dll for remote shell access, and ServiceMgrS.dll for service management. Newer 2025 variants were reported to add browser login-data theft targeting Chrome, Edge, and other Chromium-based browsers, as well as HTTP proxy credential sniffing by parsing raw TCP payloads and decoding Proxy-Authorization: Basic credentials. One report states captured clipboard and active-window data is XOR-encrypted with key 0xAC and written to C:\ProgramData\AppxProvisioning.xml.
Persistence and privilege-related behaviors reported for newer variants include Run registry key persistence, installation of a service named media_updaten, creation of a scheduled task named ComboxResetTask, UAC bypass, and privilege escalation by duplicating an elevated process token. CoolClient typically communicates with command-and-control over TCP and can optionally use UDP. It has also been described as a secondary backdoor deployed alongside PlugX and LuminousMoth, and in some 2024-2025 activity it was reported to drop a previously unseen rootkit.
High-confidence indicators and artifacts mentioned in the content include the files Sang.exe, libngs.dll, loader.dat, time.dat, main.dat, loader.ja, goopdate.ja, C:\ProgramData\GoogleUpdate\libvlc.dll, C:\Users$USER$\AppData\LocalLow\Brother\PrtDrv\sangforvpnlibcrypto-1_1.dll, c:\programdata\GoogleUpdate\loader.ja, and C:\ProgramData\AppxProvisioning.xml.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A critical pre-authentication remote code execution vulnerability, CVE-2025-15467 (CVSS 9.8), affects OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This includes an unreported cluster dubbed SteppeDriver that was first discovered in 2024 and has since targeted entities in France, Mongolia, and South America using tools like ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader.
While TA416's attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique"A version of the legitimate VLC Media Player masquerading as a Google file (googleupdate.exe) was used to sideload a Coolclient loader (file name: libvlc.dll)." / "The loader is sideloaded using a legitimate F-Secure executable named fsstm.exe." / "It is sideloaded using an executable called msproxy.exe..."
Privilege Escalation
1 techniqueStealth
4 techniques"The loader reads an encrypted payload..." / "decrypts the payload with a single byte XOR key... and executes it as shellcode" / "VMProtect obfuscations"
"This payload will in turn read a second encrypted payload from a file named goopdate.ja and inject it into the winver.exe process."
CoolClient loaders, which employed advanced anti-disassembly techniques to evade analysis
"A version of the legitimate VLC Media Player masquerading as a Google file (googleupdate.exe) was used to sideload a Coolclient loader (file name: libvlc.dll)." / "The loader is sideloaded using a legitimate F-Secure executable named fsstm.exe." / "It is sideloaded using an executable called msproxy.exe..."
Credential Access
1 techniqueDiscovery
2 techniquesPUBLOAD encrypts data from the infected host, including: Volume info Computer name Username Tick count... TrackBak is an infostealer that performs the following activities: ... Gathering network information
Collection
1 techniqueCommand and Control
5 techniquesVariants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP... Masol RAT... communicates with its C2 servers over HTTP POST... This malware uses Google Remote Procedure Call (gRPC) for C2 communication.
"...PeckBirdy JavaScript C2 Framework"; "VoidLink... modular framework"; "DKnife AitM framework... implants..."
CoolClient could upload and delete files, route network traffic
CoolClient could upload and delete files... EggStremeFuel used RC4-encrypted C2 configs to upload/download files
CoolClient supports the following capabilities: ... Tunneling packets
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware tool associated with the SteppeDriver cluster.
A named malware/tool repeatedly deployed by the Mustang Panda cluster in recent attacks.
A loader/backdoor tool with anti-disassembly features that can upload and delete files, route traffic, record keystrokes, and send port information, supporting data collection and movement through the network.
Backdoor attributed to Mustang Panda that supports file download/upload, keystroke recording, packet tunneling, and port map information capture.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.