Executive Summary
Between 2024 and 2025, the advanced persistent threat group HoneyMyte (aka Mustang Panda, Bronze President) orchestrated advanced espionage campaigns targeting government entities across Southeast Asia, Mongolia, Malaysia, Myanmar, and Europe. Using updated CoolClient backdoors, custom browser credential stealers, and sophisticated prying scripts, HoneyMyte achieved persistent access, broad network infiltration, and the theft of sensitive documents, credentials, and operational intelligence. Attackers exploited signed DLL sideloading, launched post-exploitation scripts, and used public file-sharing services for covert exfiltration, successfully bypassing traditional defense layers and maintaining long-term surveillance on official targets.
This incident highlights the evolving techniques of APT campaigns with growing reliance on multi-stage malware, encrypted traffic, and cloud-based exfiltration channels. The sophistication and persistence demonstrated by HoneyMyte reflect a broader rise in state-sponsored cyber espionage, posing continuing challenges for organizations' detection and regulatory compliance efforts in 2025.
Why This Matters Now
State-backed espionage campaigns are escalating, with HoneyMyte’s recent activities signaling a trend toward modular malware, credential theft, and the use of legitimate cloud platforms for exfiltration. Government, defense, and critical infrastructure organizations must act swiftly to close gaps exploited by advanced attackers, particularly around lateral movement, data loss, and privilege escalation.
Attack Path Analysis
HoneyMyte initiated access by leveraging DLL sideloading and abusing legitimate signed binaries to implant backdoors. The attackers escalated privileges using UAC bypass and token theft to gain administrative access. They moved laterally via scripts and network enumeration tools to reach and persist across additional hosts within targeted environments. The threat actors established command & control using custom backdoor protocols and plugins, maintaining remote access and deploying additional modules. Exfiltration involved compressing and uploading credentials and sensitive documents to attacker infrastructure and public file-sharing sites, often using curl, FTP, and covert API-based channels. Impact was realized through long-term espionage and theft of organizational secrets, with no observed destructive actions.
Kill Chain Progression
Initial Compromise
Description
The attackers gained initial foothold via software supply chain weaknesses and DLL sideloading using trusted binaries, enabling execution of CoolClient and other backdoors on target systems.
Related CVEs
CVE-2025-55182
CVSS 10An unrestricted file upload vulnerability in the web interface allows an authenticated remote attacker to execute arbitrary code.
Affected Products:
Sierra Wireless AirLink ALEOS – < 4.9.4
Exploit Status:
exploited in the wildCVE-2025-68668
CVSS 9.9A vulnerability in the workflow management system allows remote code execution via crafted input.
Affected Products:
WorkflowCorp WorkflowManager – 1.0, 1.1, 1.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Initial mapping based on HoneyMyte campaign behaviors; for SEO/filtering. STIX/TAXII enrichment available in future updates.
Phishing
Hijack Execution Flow: DLL Side-Loading
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Valid Accounts
Input Capture: Keylogging
Screen Capture
Automated Collection
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for All System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Credential Protection and Zero Trust Authentication
Control ID: Identity Pillar – Credentials & Authentication
NIS2 Directive – Risk Management and Technical Measures
Control ID: Art. 21(2) & (3)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of HoneyMyte APT campaigns across Southeast Asia, facing credential theft, document exfiltration, and persistent surveillance through CoolClient backdoor deployments.
Telecommunications
High risk from encrypted traffic interception capabilities and east-west traffic vulnerabilities, enabling lateral movement and command-and-control communications through network infrastructure.
Financial Services
Critical exposure to browser credential theft, clipboard monitoring, and proxy authentication harvesting threatening customer data and regulatory compliance under PCI DSS requirements.
Information Technology/IT
Vulnerable to Kubernetes security exploits, cloud firewall bypasses, and zero trust segmentation failures enabling privilege escalation and multicloud environment compromise.
Sources
- HoneyMyte updates CoolClient and deploys multiple stealers in recent campaignshttps://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/Verified
- Kaspersky reveals new HoneyMyte APT campaigns and toolsethttps://www.kaspersky.com/about/press-releases/kaspersky-reveals-new-honeymyte-apt-campaigns-and-toolsetVerified
- CVE-2025-55182 (CVSS 10.0) and CVE-2025-68668 (CVSS 9.9) Exploited in IoT and Workflow Attacks - Purple Opshttps://www.purple-ops.io/resources-hottest-cves/cve-2025-55182-iot-threats/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcement of Zero Trust segmentation, robust lateral movement controls, egress policy, and encrypted traffic inspection would have significantly contained HoneyMyte’s activities, limiting privilege escalation, propagation, and covert data exfiltration. CNSF-aligned controls disrupt malicious movement and unauthorized access by restricting communication, enforcing least privilege, and monitoring for anomalies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Initial executable delivery attempts could be detected or blocked via inline, real-time inspection at the cloud perimeter.
Control: Zero Trust Segmentation
Mitigation: Limits attacker mobility and access to sensitive workloads even after privilege escalation.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral communication between workloads and detects anomalous internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Visibility and anomaly detection alert on covert C2 activities, enabling rapid incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or alerts on unauthorized data transfers and blocks unsanctioned destinations.
Limits the scope of data accessible to attackers, reducing possible espionage impact.
Impact at a Glance
Affected Business Functions
- Government Operations
- Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Sensitive government documents and credentials were exfiltrated, leading to potential national security risks.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to isolate critical workloads and enforce least-privilege network access.
- • Enforce strict east-west traffic security to spot and block lateral movement attempts within cloud environments.
- • Apply robust egress policy to restrict outbound data flows and detect unauthorized transfers to external services.
- • Deploy advanced multi-cloud visibility tools for centralized monitoring and swift anomaly detection, including C2 and exfiltration behaviors.
- • Mandate regular threat detection and incident response testing aligned to prevalent APT tradecraft and validated CNSF capabilities.
