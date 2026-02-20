New HoneyMyte APT campaigns, toolset uncovered

Kaspersky’s Global Research and Analysis Team (GReAT) experts observed HoneyMyte APT enhanced the CoolClient backdoor with new features, deployed several variants of a browser login data stealer and used multiple scripts for data theft and reconnaissance.

The APT’s latest campaigns targeted Myanmar, Mongolia, Malaysia, Thailand and Russia, with a particular focus on the government sector.

The latest version of the CoolClient backdoor observed by Kaspersky experts across multiple HoneyMyte campaigns, is frequently deployed as a secondary backdoor alongside PlugX and LuminousMoth.

Primarily the backdoor relies on DLL side-loading as its execution mechanism, requiring a legitimate, digitally signed executable to load a malicious DLL.

Between 2021 and 2025, the threat actor abused signed binaries from multiple legitimate software products, with the most recent campaigns leveraging a signed application from Sangfor. The latest enhancements introduce clipboard monitoring and active window tracking: this feature allows capturing clipboard contents together with the active application’s window title, process ID and timestamp, giving the threat actor the possibility to track user activity and the context of copied data.

CoolClient has also been enhanced with the capability to extract HTTP proxy credentials from network traffic, representing a technique newly observed across HoneyMyte’s malware.

The research also identified several CoolClient plugins actively in use, indicating that the tool supports extensible functionality through custom plugins.

In several espionage campaigns, HoneyMyte used scripts to collect system information, exfiltrate documents and harvest browser-stored credentials. The threat actor also used a new version of Chrome credential-stealing malware during post-exploitation, showing significant code similarities to samples from the ToneShell campaign .

“With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting and large-scale file theft, active surveillance is now a standard tactic in the APT playbook, demanding the same level of preparedness and proactive defence as traditional threats like data exfiltration and persistence,” says Fareed Radzi, security researcher at Kaspersky GReAT.