Kaspersky reveals new HoneyMyte APT campaigns and toolset

The latest version of the CoolClient backdoor observed by Kaspersky experts across multiple HoneyMyte campaigns, is frequently deployed as a secondary backdoor alongside PlugX and LuminousMoth. Primarily the backdoor relies on DLL side-loading as its execution mechanism, requiring a legitimate, digitally signed executable to load a malicious DLL, - between 2021 and 2025, the threat actor abused signed binaries from multiple legitimate software products, with the most recent campaigns leveraging a signed application from Sangfor. The latest enhancements introduce clipboard monitoring and active window tracking: this feature allows capturing clipboard contents together with the active application’s window title, process ID and timestamp, giving the threat actor the possibility to track user activity and the context of copied data.

CoolClient has also been enhanced with the capability to extract HTTP proxy credentials from network traffic, representing a technique newly observed across HoneyMyte’s malware. The research also identified several CoolClient plugins actively in use, indicating that the tool supports extensible functionality through custom plugins. In several espionage campaigns, HoneyMyte used scripts to collect system information, exfiltrate documents and harvest browser-stored credentials. The threat actor also used a new version of Chrome credential-stealing malware during post-exploitation, showing significant code similarities to samples from the ToneShell campaign.

“With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting and large-scale file theft, active surveillance is now a standard tactic in the APT playbook, demanding the same level of preparedness and proactive defense as traditional threats like data exfiltration and persistence,” — Fareed Radzi, security researcher at Kaspersky GReAT. 

Detailed information is available on Securelist.

To stay protected from HoneyMyte and other APT’s, organizations are advised to follow these best practices:

• Remain highly vigilant against the deployment of HoneyMyte’s toolset, including the CoolClient backdoor, as well as related malware families such as PlugX, ToneShell, Qreverse and LuminousMoth.
• To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
• Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and provide additional expertise even if a company lacks cybersecurity workers.
• Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.

About the Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.