VulnHub

Real-time Cybersecurity News

Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks

The Hacker News
Actively Exploited
Critical

Overview

Cybersecurity researchers have identified that a group known as Mustang Panda, believed to be linked to the Chinese government, is using an updated backdoor called COOLCLIENT in cyber espionage campaigns. These attacks, which have been ongoing in 2025, primarily target government entities, allowing the attackers to steal sensitive data from compromised systems. This new version of COOLCLIENT enhances the group's capabilities, raising concerns about the potential for significant data breaches in critical government sectors. The implications of these attacks could lead to compromised national security and the exposure of sensitive governmental information. Organizations, especially those in the public sector, need to bolster their security measures to protect against such sophisticated threats.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Government entities
  • Action Required: Organizations should enhance their endpoint security, implement regular software updates, and conduct thorough security audits to detect and mitigate potential intrusions.
  • Timeline: Ongoing since 2025

Original Article Summary

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located

Impact

Government entities

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since 2025

Remediation

Organizations should enhance their endpoint security, implement regular software updates, and conduct thorough security audits to detect and mitigate potential intrusions.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Critical.

Read Original Article

Related Coverage

Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026

darkreading

Franz Regul, the former Chief Information Security Officer for the Paris 2024 Olympics, addressed the unique cybersecurity challenges faced by the event, especially as it prepares for the upcoming games. With a focus on evolving threats, Regul implemented strategies to safeguard sensitive data and protect against potential attacks. As the Olympics draw nearer, the need for a strong cybersecurity framework becomes increasingly vital, particularly with the high-profile nature of the event attracting various malicious actors. The lessons learned from Paris 2024 will also inform security measures for the Milan Cortina 2026 Olympics, aiming to create a safer environment for athletes and spectators alike. This proactive approach to cybersecurity underscores the importance of preparedness in large-scale events.

Mar 17, 2026

GlassWorm Malware Evolves to Hide in Dependencies

darkreading

Researchers have discovered a new evolution of the GlassWorm malware, which now includes several malicious browser extensions that employ advanced evasion techniques. These extensions can hide within legitimate software dependencies, making them harder to detect. Users of affected browsers are at risk, as these extensions can compromise their systems by stealing sensitive information or enabling unauthorized access. This development is particularly concerning for organizations that rely on various web applications, as it can lead to significant data breaches if not addressed. Companies and users should remain vigilant and ensure their security measures are up-to-date to combat this growing threat.

Mar 16, 2026

GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

The Hacker News

The GlassWorm malware campaign is actively exploiting stolen GitHub tokens to inject malicious code into numerous Python repositories. Researchers at StepSecurity reported that this attack primarily targets various Python projects, including Django applications, machine learning research code, and Streamlit dashboards. The attackers are modifying critical files like setup.py, main.py, and app.py to include obfuscated malware, which could compromise any project that relies on these repositories. This situation poses a significant risk to developers and organizations using Python, as running compromised code could lead to serious security breaches. Developers need to be vigilant about the integrity of their repositories and monitor for unauthorized changes.

Mar 16, 2026

ClickFix campaigns target macOS users via MacSync infostealer

SCM feed for Latest

Recent ClickFix campaigns are targeting macOS users through malicious tools disguised as ChatGPT applications. Attackers are utilizing deceptive tactics, including fake software and Terminal commands, to install the MacSync infostealer on infected systems. This infostealer is designed to harvest sensitive information from users, which poses a significant risk to personal and organizational security. Users who inadvertently download these fake tools could find their data compromised, leading to potential identity theft or financial loss. It's crucial for macOS users to remain vigilant and avoid downloading software from untrusted sources.

Mar 16, 2026

CISA flags Wing FTP Server flaw as actively exploited in attacks

BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted U.S. government agencies about a vulnerability in Wing FTP Server that is currently being exploited in attacks. This flaw could potentially allow attackers to execute remote code, raising the risk of severe security breaches. Organizations using this software need to take immediate action to secure their systems, as the vulnerability could be linked to more extensive exploitation tactics. The warning is particularly urgent for agencies that manage sensitive data, as the consequences of an attack could be significant. It's crucial for affected users to stay vigilant and apply any available security measures to mitigate risks.

Mar 16, 2026

UK’s Companies House confirms security flaw exposed business data

BleepingComputer

Companies House, the British agency responsible for company registration in the UK, recently confirmed that a security flaw in its WebFiling service exposed sensitive business information since October 2025. The agency temporarily took the service offline on Friday to address the issue, which raised concerns about the privacy of companies' data. While they have since restored the service, the breach could have serious implications for businesses relying on the registry for compliance and reporting. Companies should review their security practices and remain vigilant about potential misuse of their exposed information. This incident underscores the need for robust security measures in public-facing services.

Mar 16, 2026