2026-01-27 HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns| Threat Intelligence Malaysia

📃Title: HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns
📅Date: 2026-01-27
🔗References:

https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: malware-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer Kaspersky
threat-actor MUSTANG-PANDA
sector=“Government, Administration”
region=“035 - South-eastern Asia”
target-information=“Malaysia”
target-information=“Mongolia”
target-information=“Myanmar”
target-information=“Pakistan”
target-information=“Russia”
mitre-attack-pattern=[‘T1073’, ‘T1574.002’, ‘T1088’, ‘T1548.002’, ‘T1060’, ‘T1547.001’, ‘T1053.005’, ‘T1055’, ‘T1070’, ‘T1056.001’]

MISP event uuid: 033d1a45-804d-43ad-b916-a942ecf806fa

Indicator of Compromise (IoCs)

type,value,comment
md5, f518d8e5fe70d9090f6280c68a95998f, 'CoolClient - libngs.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 6b7300a8b3f4aac40eeecfd7bc47ee7c, 'CoolClient - time.dat No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 7aa53ba3e3f8b0453ffcfba06347ab34, 'CoolClient plugins - ServiceMgrS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, a1cd59f769e9e5f6a040429847ca6eae, 'CoolClient plugins - FileMgrS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 1bc5329969e6bf8ef2e9e49aab003f0b, 'CoolClient plugins - RemoteShellS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 1a5a9c013ce1b65abc75d809a25d36a7, 'Browser login data stealer - Variant A No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, da6f89f15094fd3f74ba186954be6b05, 'Browser login data stealer - Variant C No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, c19bd9e6f649df1df385deef94e0e8c4, 'Scripts - 1.bat No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 838b591722512368f81298c313e37412, 'Scripts - Ttraazcs32.ps1 No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, a4d7147f0b1ca737bfc133349841aaba, 'Scripts - t.ps1 No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
hostname, account.hamsterxnxx.com, 'CoolClient C2'
domain, popnike-share.com, 'CoolClient C2'
hostname, japan.lenovoappstore.com, 'CoolClient C2'
ip-dst, 113.23.212.15, 'FTP server'

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2026-01-27 HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Indicator of Compromise (IoCs)

Graph View