Back to threat alerts

Mustang Panda: Evolution of the CoolClient Backdoor

Mustang Panda is a persistent, China-aligned cyber-espionage collective active since at least 2012, primarily targeting the economic data of national governments, and critical infrastructure operators. In the recent years, researchers documented a significant pivot from simple data collection to active surveillance.

Threat alert
January 28, 2026

Their revamped toolset focuses on real-time user monitoring, utilising legitimate cloud services and tools like cURL to exfiltrate harvested credentials and sensitive documents while bypassing traditional network defences.

The modern CoolClient backdoor is defined by a modular, four-stage execution chain designed to minimise its forensic footprint:

  • libngs.dll (Initial Loader): Serves as the primary entry point, typically executed via DLL side-loading using legitimate signed binaries from vendors like Sangfor or Bitdefender.
  • loader.dat (Second-Stage Orchestrator): Decrypted by the initial loader, this stage contains shellcode for environmental reconnaissance and initial process injection.
  • time.dat (Encrypted Configuration): Stores C2 server details and beaconing intervals; it is only decrypted in-memory during the initialisation phase.
  • main.dat (Third-Stage Core): The final payload containing core features such as keylogging, file tunneling, and a reverse proxy.

Legitimate Executable
Original Software Provider
Malicious DLL Module
Primary Function

Sang.exe
Sangfor Solutions
libngs.dll
COOLCLIENT Loader

qutppy.exe
Bitdefender
[Varies]
Payload Staging

googleupdate.exe
VLC Media Player (Renamed)
libvlc.dll
Side-loading Stager

olreg.exe
Ulead PhotoImpact
[Varies]
Persistence Mechanism

Maduro to be taken to New York.exe
Tencent KuGou (Renamed)
kugou.dll
LOTUSLITE Backdoor

fsstm.exe
F-Secure
fspmapi.dll
Rainyday Loader

While earlier variants commonly targeted "winver.exe", in recent campaigns it increasingly utilise process hollowing to inject shellcode into a newly created "write.exe" process. The new iteration of CoolClient utilises a sophisticated suite of command plugins, each mapped to specific command IDs sent from the command-and-control (C2) server.

Mustang Panda has also refined its privilege escalation and persistence strategies:

  • Privilege Escalation: If the current user has administrative rights, the malware uses the “passuac” parameter to bypass User Account Control (UAC) by leveraging the CMSTPLUA COM interface or the AppInfo RPC service.
  • Masquerading: It spoofs Process Environment Block (PEB) information to masquerade as "svchost.exe" and establishes persistence via the AdobelmdyU registry key or a scheduled task named ComboxResetTask.
  • Surveillance Plugins: A robust plugin framework allows the dynamic loading of modules like FileMgrS.dll (File Management), ServiceMgrS.dll (Service Management), and RemoteShellS.dll (Interactive Shell).

The latest variants incorporate features matching state-sponsored spyware standards:

  • Active Window Monitoring: Uses GetWindowTextW and GetClipboardData to capture user context, such as passwords copied from browsers or sensitive document titles.
  • Credential Sniffing: Creates dedicated threads to intercept raw network traffic and extract HTTP proxy credentials from packets.
  • Infostealer Integration: Deploys specific modules to harvest saved login data from Google Chrome, Microsoft Edge, and other Chromium-based browsers.
Recommendations
  • Process Monitoring: Unusual child processes of write.exe or winver.exe that exhibit network activity or unexpected API calls like GetClipboardData.
  • Audit DLL Side-Loading: Implement strict application control policies that only allow binaries signed by trusted vendors and restrict the directories from which these binaries can load DLLs.
  • Restrict cURL and Cloud Uploads: Implement Data Loss Prevention (DLP) rules to monitor or block the use of curl.exe for uploading files to public cloud storage.