Kaspersky Lab experts have reported new cyber espionage campaigns conducted by the HoneyMyte group. In 2025-2026, the attackers significantly expanded their toolkit, adding espionage functions to the CoolClient backdoor and starting to use browser stealers and malicious scripts to steal credentials, documents, and system information.
HoneyMyte is a Chinese-speaking hacker group specializing in cyber espionage. The group's activity covers Europe and Asia, mainly the public sector. Among the new features of the CoolClient backdoor is clipboard monitoring, which allows you to receive its contents along with the title of the active window, process ID, and timestamp. This gives attackers the ability to track user behavior and gain context for stolen data. In addition, the backdoor can extract HTTP proxy credentials from network traffic and use plugins to extend its functionality.
In operations against the public sector in Myanmar and Thailand, the group used new samples of malware, including scripts to collect information about the system, extract documents, and steal credentials from Chrome and Microsoft Edge browsers.
Sergey Lozhkin, Head of Kaspersky GReAT in Asia, Africa and the Middle East, emphasized that in order to counter such threats, organizations need to maintain a high level of training and take proactive protection measures.