BLUF

 Mustang Panda, a China-aligned APT, is currently conducting a high-frequency espionage campaign leveraging an updated COOLCLIENT backdoor to exfiltrate sensitive data from government and critical infrastructure entities across Asia and Eastern Europe.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by sustained Mustang Panda espionage activity leveraging the COOLCLIENT backdoor and related tooling, total financial exposure is driven less by immediate system damage and more by prolonged response, investigation, and strategic remediation following covert data theft.

·       Low-end total cost: $750K – $1.5M

o   (limited dwell time, rapid detection, narrow data exposure)

·       Typical expected range: $2.5M – $6M

o   (multi-month persistence, sensitive data access, enterprise-wide response)

·       Upper-bound realistic scenarios: $8M – $15M

o   (extended espionage, regulatory scrutiny, long-term remediation required)

Key Cost Drivers

·       Length of attacker dwell time before detection and containment

·       Scope and sensitivity of exfiltrated data (government, IP, credentials)

·       Scale of endpoint rebuilds and identity resets required

·       Regulatory and cross-border notification obligations

·       Duration of enhanced monitoring and defensive uplift post-incident

Targeted Sectors

·       Government ministries

·       Foreign Affairs

·       Defense

·       Telecommunications

·       NGOs

·       Critical Infrastructure.

Countries

·       Myanmar

·       Mongolia

·       Malaysia

·       Russia

·       Pakistan

·       Thailand

·        European Union member states.

First Reported Activity

·       COOLCLIENT was first documented in November 2022.

Most Recent Update

January 2026.

APT Names

·       Mustang Panda

·       Earth Preta

·       Bronze President

·       RedDelta

·       TA416

·       HoneyMyte

·       Stately Taurus

·       Twill Typhoon.

Associated Criminal Organizations

·       Not applicable

IOCs

Advanced DLL Side-Loading Heuristics

·       Mustang Panda heavily relies on DLL side-loading to execute malicious code through legitimate, signed binaries.

·       Legitimate Binary Masquerading: Look for common applications renamed or placed in unusual directories (e.g., vlc.exe renamed to googleupdate.exe).

·       Targeted Signed Binaries: Monitor for executions of binaries from Sangfor, Bitdefender (qutppy.exe), VLC Media Player (vlc.exe), and Ulead PhotoImpact (olreg.exe) in temp folders or user-writable directories.

·       Mismatched DLLs: Detect when these legitimate binaries load DLLs with suspicious names like libvlc.dll (if not in the standard install path) or sang.dll that lack proper digital signatures or have recent creation dates.

Execution and Persistence Patterns

The group's infection chain often follows a multi-stage process involving specific file types.

·       LNK File Hijacking: Heuristic detection of .lnk (shortcut) files that execute commands (e.g., cmd.exe /c ...) to launch binaries while simultaneously opening a decoy document like a PDF or Word file.

·       Encrypted Payload Loading: Identification of "loader" files with atypical extensions (e.g., .ja, .dat) or no extension at all, which are read by a side-loaded DLL to decrypt next-stage shellcode in memory.

·       Service/Task Creation: COOLCLIENT often ensures persistence by creating new system services or scheduled tasks with generic or deceptive names to blend in with Windows system operations.

Data Exfiltration & Stealer Behavior

·       Recent variants of COOLCLIENT have integrated advanced infostealer modules.

·       Cloud API Abuse: Monitor for unauthorized or unexpected outbound traffic to legitimate cloud storage APIs, specifically Google Drive and Pixeldrain, using hardcoded API tokens.

·       Credential Sniffing: Heuristic alerts for processes performing raw packet inspection or "credential sniffing" of HTTP proxy traffic.

·       Clipboard/Window Monitoring: High-frequency access to the system clipboard and active window titles, a hallmark of their espionage-focused data collection.

Defensive Evasion Heuristics

·       Security Software Disabling

o   Look for the use of tools like SplatCloak, which specifically attempt to disable kernel-level notification callbacks for Microsoft Defender and Kaspersky drivers.

·       Rootkit Activity

o   Recent 2025-2026 campaigns have deployed a previously unseen rootkit to hide malicious processes and files from standard system monitoring tools.

·       Obfuscation Techniques

o   Detecting binaries that use VMProtect or advanced control-flow flattening to hinder static and dynamic analysis.

TTPs

Initial Access & Execution

·       T1566.001 Spearphishing Attachment

o   Delivers weaponized documents or archives, often using lures related to current regional events.

·       T1204.002 User Execution Malicious File

o   Tricks users into opening malicious LNK files or trojanized installers.

·       T1574.002 Hijack Execution Flow DLL Side-Loading

o   Frequently abuses legitimate signed executables (e.g., VLC Media Player, Bitdefender) to load the COOLCLIENT loader.

Defense Evasion

·       T1036 Masquerading

o   Disguises malicious files as legitimate system components, such as googleupdate.exe.

·       T1027 Obfuscated Files or Information

o   Employs XOR encoding and custom packers (like VMProtect) to hide payloads and configuration data.

·       T1014 Rootkit

o   Recent 2025-2026 variants have been observed deploying kernel-mode rootkits to intercept security tool operations.

Persistence & Privilege Escalation

·       T1053.005 Scheduled Task/Job Scheduled Task

o   Maintains long-term access by creating tasks to re-execute the backdoor.

·       T1055 Process Injection

o   Injects payloads into trusted processes like winver.exe or werfault.exe to escalate privileges and evade detection.

Collection & Exfiltration

·       T1056.001 Input Capture Keylogging

o   COOLCLIENT core functionality includes logging user keystrokes.

·       T1115 Clipboard Data

o   Features a dedicated module to monitor and steal contents from the system clipboard.

·       T1555.003 Credentials from Web Browsers

o   Updated variants include infostealers specifically targeting login data from Chrome, Edge, and other Chromium-based browsers.

·       T1567.002 Exfiltration over Web Service

o   Exfiltration to Cloud Storage: Uses hardcoded API tokens to exfiltrate stolen documents to legitimate services like Google Drive and Pixeldrain.

Command & Control

·       T1071.001 Application Layer Protocol: Web Protocols

o   Communicates with C2 servers primarily over HTTP/HTTPS.

·       T1090 Proxy

o   Utilizes tunneling and HTTP proxy sniffer modules for internal network pivot and credential theft.

Malware Names

·       COOLCLIENT (Backdoor)

·       FileMgrS.dll (Plugin)

·       RemoteShellS.dll (Plugin)

·       ServiceMgrS.dll (Plugin)

·       STATICPLUGIN, PlugX.

Tools Used in Campaign

·       VLC Media Player (renamed as googleupdate.exe)

·       Sangfor, Bitdefender

·       Ulead PhotoImpact binaries for side-loading.

Delivery Methods

·       Phishing Themes

o   European Union reports on the Ukraine conflict, international summits, and regional natural disaster warnings.

·       Infection Chain

o   Exploits trust in signed binaries via DLL side-loading. For example, a trojanized VLC player loads a malicious libvlc.dll, which then decrypts the loader.ja payload.

Malware Name

·       COOLCLIENT Backdoor

Malware Family

·       Mustang Panda Custom Backdoor

sha256

fe2b438566adcafb6e8ddf5491875be83e981c062240c49f9160b8a3e0761c6a

Known Decoding Key

·       While specific XOR keys vary by campaign, similar samples in this category have utilized level-one constant keys such as 2cef0f87-62fe-4bb9-a1de-4dc009e818ea for bitwise decoding of command-and-control (C2) data.

Verdict

·       Malicious (Score: ~88–100% depending on engine).

Primary Objectives

·       Information Theft

o   Extraction of credentials and system metadata.

·       Evasion

o   Termination of security-related processes (antivirus/EDR).

·       Persistence

o   Establishing long-term access via registry run keys or scheduled tasks.

Behavior Analysis

·       Process Termination

o   Actively kills security software to prevent detection.

·       Network Activity

o   Attempts direct host communication, often bypassing DNS queries to reach C2 infrastructure.

·       File Manipulation

o   Drops additional executable payloads (e.g., PowerShell scripts) and modifies registry keys for boot-time persistence.

CVE-2017-0199

Microsoft Office/WordPad RCE

CVSS:3.1

·       (7.8) /AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus ID(s)

·       104044

·       99314

·       99304

·       99285

Is CVE in the KEV catalog?

·       Yes

CISA Patch Due Date

·       May 03, 2022

Patch Release Date

·       April 11, 2017

Primary Objectives

·       Remote Code Execution (RCE) via malicious documents.

Behavior Analysis

·       Exploits how Office handles HTA files in OLE objects.

·       Triggers an HTTP request to download a malicious script when a document is opened.

Delivery Methods

·       Phishing emails with malicious RTF or Excel attachments

CVE-2021-1675

Windows Print Spooler LPE/RCE (PrintNightmare)

CVSS:3.1

·       (7.8) AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus ID

·       150353

·       150354

·       150357

·       150363

·       150367

·       150368

·       150369

·       150370

·       150374

Is CVE in the KEV catalog?

·       Yes

CISA Patch Due Date

·       May 03, 2022

Mitigation

·       Disable Print Spooler service on Domain Controllers.

Patch Release Date

·       June 08, 2021

Primary Objectives

·       Elevation of Privilege (LPE) and Remote Code Execution (RCE).

Behavior Analysis

·       Exploits the RpcAddPrinterDriverEx() function to inject malicious printer drivers.

Delivery Methods

Post-exploitation lateral movement; not typically an initial delivery vector

CVE-2021-34527

Windows Print Spooler RCE (PrintNightmare OOB)

CVSS:3.1

·       (8.8) AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·       151471

·       151472

·       151473

·       151474

·       151475

·       151476

·       151477

·       151478

·       151479

·       151488

·       154997

·       156065

Is CVE in the KEV catalog?

·       Yes

CISA Patch Due Date

·       May 03, 2022

Patch Release Date

·       July 06, 2021

Behavior Analysis

·       Exploits the RpcAddPrinterDriverEx() function to inject malicious printer drivers.

CVE-2021-40444

MSHTML Remote Code Execution

CVSS:3.1

·       (8.8) AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Nessus ID

·       153372

·       153373

·       153374

·       153375

·       153377

·       153381

·       153383

Is CVE in the KEV catalog?

·       Yes

CISA Patch Due Date

·       May 03, 2022

Mitigation

·       Disable ActiveX controls via registry

Patch Release Date

·       September 14, 2021

Primary Objectives

·       Initial access and malware deployment

Behavior Analysis

·       Uses a malicious ActiveX control in an Office document to host the browser rendering engine.

Delivery Methods

Phishing emails with document lures themed around invoices or corporate updates.

CVE-2024-24919

Check Point Security Gateway Info Disclosure

CVSS:3.1

·       (8.6) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Nessus ID

·       114291

·       198147

Is CVE in the KEV catalog?

·       Yes

CISA Patch Due Date

·       June 20, 2024

Mitigation

·       Disable local password-only accounts

Patch Release Date

·       May 28, 2024

Primary Objectives

·       Unauthorized arbitrary file read (e.g., /etc/shadow) to extract password hashes.

Behavior Analysis

·       Exploits gateways with "Remote Access VPN" enabled to read sensitive system files without authentication.

CVE-2021-30869

Apple XNU Privilege Escalation

CVSS:3.1

·       (7.8) AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus ID

·       153709

·       153652

·       145548

Is CVE in the KEV catalog?

·       Yes

CISA Patch Due Date

·       May 03, 2022

Patch Release Date

·       September 23, 2021

Primary Objectives

·       Arbitrary code execution with kernel privileges.

Behavior Analysis

·       A type confusion issue in the kernel allows for exploitation by a malicious application.

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

·       Custom Packet Matching

o   Look for specific response values used in their memory-only execution phase.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Mustang Panda C2 Response Magic Packet Observed"; content:"|17 03 03|"; depth:3; sid:1000001;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Mustang Panda C2 Response Magic Packet Observed (Alt)"; content:"|46 77 4d|"; depth:3; sid:1000002;)

·       Malicious LNK Retrieval

o   Detect the retrieval of obfuscated .lnk files often used in their initial access via Google Drive or microblogging sites.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Mustang Panda Potential Obfuscated LNK Download"; content:".zip"; http_uri; content:".lnk"; distance:0; sid:1000003;)

SentinelOne

·       Hunt for legitimate processes loading unexpected DLLs from non-standard paths.

ProcessName = "MpDlpCmd.exe" AND ModulePath NOT contains "System32" AND ModulePath NOT contains "Program Files"

·       Monitor for the creation of new services or scheduled tasks, common for COOLCLIENT's persistence.

EventType = "Service Creation" AND (ServiceCommand contains "AppData" OR ServiceCommand contains "Public")

·       Hunt for attempts to disable Windows Defender or Kaspersky drivers using their bespoke "SplatCloak" tool.

Indicator = "Driver Unloaded" AND (ImagePath contains "WdFilter.sys" OR ImagePath contains "klbg.sys")

Splunk

·       Mustang Panda frequently queries Event Logs to identify domain controllers and logged-in users.

index=windows EventCode=4624 OR EventCode=4688 | search Process_Name="*wevtutil.exe*" OR Process_Name="*powershell.exe*" | search Command_Line="*get-eventlog*" OR Command_Line="*query*"

·       Look for high-volume data transfers to platforms like MEGA, Google Drive, or Dropbox.

index=network_logs (dest_host="*mega.nz*" OR dest_host="*drive.google.com*" OR dest_host="*dropbox.com*") | stats sum(bytes_out) as total_exfil by src_ip | where total_exfil > 500000000

·       Detect the group's use of netstat -ano to map network connections.

index=endpoint process="netstat.exe" args="-ano" | stats count by host, user

References

NVD

·       hxxps://nvd.nist.gov/vuln/detail/ CVE-2017-0199

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2021-1675

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2021-34527

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2021-40444

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2024-24919

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2021-30869

Tenable

·       hxxps://www.tenable.com/cve/CVE-2017-0199/plugins

·       hxxps://www.tenable.com/cve/CVE-2021-1675/plugins

·       hxxps://www.tenable.com/cve/CVE-2021-34527/plugins

·       hxxps://www.tenable.com/cve/CVE-2021-40444/plugins

·       hxxps://www.tenable.com/cve/CVE-2024-24919/plugins

·       hxxps://www.tenable.com/cve/CVE-2021-30869/plugins

KEV Catalog

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0199

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1675

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34527

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40444

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-24919

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30869

VirusTotal

·       hxxps://www.virustotal.com/gui/file/fe2b438566adcafb6e8ddf5491875be83e981c062240c49f9160b8a3e0761c6a/details