SAPPI A.I CyberSecurity Scoring
SAPPI
Company Information
Website:https://www.seapublicpolicy.org
Employees number:4
Number of followers:1,708
NAICS:54172
Industry Type:Think Tanks
Homepage:seapublicpolicy.org
SAPPI Risk Score (AI oriented)
Between 700 and 749
SAPPIThink Tanks
Updated:
02/04/2026
02/04/2026
738/1000
Moderate
Ba
SAPPI Global Score (TPRM)
xxxx
SAPPIThink Tanks
Score locked

SAPPIModerate
Current Score
738Ba (MODERATE)
01000
1 incidents
0 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
739
JUNE 2026
739
MAY 2026
738
APRIL 2026
738
MARCH 2026
738
FEBRUARY 2026
737
JANUARY 2026
737
DECEMBER 2025
737
NOVEMBER 2025
736
OCTOBER 2025
736
SEPTEMBER 2025
735
AUGUST 2025
735
JANUARY 2025
748
Cyber Attack
01 Jan 2025 • SAPPI
Government entities in Southeast Asia and Europe: HoneyMyte Hacker Group Expands CoolClient Malware With New Advanced Toolset
HoneyMyte APT Expands Cyber-Espionage Operations with Advanced Malware Upgrades in 2025
730
CRITICAL-18
SOU1770159284
HoneyMyte APT Expands Cyber-Espionage Operations with Advanced Malware Upgrades in 2025
The HoneyMyte APT group (also known as Mustang Panda or Bronze President) has intensified its cyber-espionage campaigns across Asia and Europe, with Southeast Asia as the primary target. Active in 2025, the group has significantly upgraded its malware arsenal, focusing on government entities with enhanced tools for data exfiltration and system reconnaissance.
### Evolved Malware Capabilities
HoneyMyte’s toolkit includes the ToneShell kernel-mode rootkit, PlugX and Qreverse backdoors, CoolClient backdoor, and Tonedisk/SnakeDisk USB worms. The group has refined existing malware while introducing new post-exploitation tools, particularly the CoolClient backdoor, which has undergone major functional upgrades.
#### CoolClient Backdoor Enhancements
First identified in 2022, CoolClient has evolved with new features in its 2025 variant, including:
- Clipboard monitoring – Captures user data (window titles, process IDs, timestamps) via `GetClipboardData` and `GetWindowTextW` APIs, encrypting logs with XOR (key `0xAC`) and storing them at `C:\ProgramData\AppxProvisioning.xml`.
- HTTP proxy credential sniffing – Intercepts raw network traffic, extracting Proxy-Authorization headers and decoding Base64-encoded credentials for exfiltration.
- DLL sideloading abuse – Leverages legitimate software (e.g., Sangfor applications, BitDefender, VLC Media Player) to execute malicious payloads.
- Persistence mechanisms – Uses registry modifications and a scheduled task (`ComboxResetTask`) for long-term access.
- Privilege escalation – Supports UAC bypass via a `passuac` mode.
Core functionalities remain, including system reconnaissance, file manipulation, keylogging, TCP tunneling, and reverse proxy operations.
#### Plugin Ecosystem & Browser Credential Theft
CoolClient now supports three dedicated plugins:
- FileMgrS.dll – Advanced file management.
- RemoteShellS.dll – Remote command execution via hidden `cmd.exe` processes.
- ServiceMgrS.dll – Windows service enumeration and manipulation.
HoneyMyte also deployed three browser credential stealers targeting Chrome, Microsoft Edge, and Chromium-based browsers, extracting saved logins using Windows DPAPI to decrypt master keys. One variant (Variant C) dynamically accepts runtime arguments for flexible targeting across different browser installation paths.
### Supporting Tools & Data Exfiltration
The group employs PowerShell and batch scripts for system enumeration and document theft:
- 1.bat – Downloads compression tools, scans networks, collects system data, and exfiltrates via FTP.
- Ttraazcs32.ps1 – Searches for recently modified documents across all drives.
- t.ps1 – Targets browser credential files, compresses data, and uploads to Pixeldrain using hardcoded API tokens.
### Impact & Targeting
HoneyMyte’s 2025 operations reflect increased sophistication, with a focus on government networks in Southeast Asia and Europe. The group’s expanded toolset particularly CoolClient’s new credential-stealing and clipboard-monitoring features poses a heightened risk for data breaches and persistent access. Defenders are advised to monitor for CoolClient variants, PlugX, ToneShell, and associated malware families in high-risk regions.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for SAPPI ??
What was SAPPI's A.I Rankiteo Cyber Score in June 2026 ??
What was SAPPI's A.I Rankiteo Cyber Score in May 2026 ??
What was SAPPI's A.I Rankiteo Cyber Score in April 2026 ??
What was SAPPI's A.I Rankiteo Cyber Score in March 2026 ??
What was SAPPI's A.I Rankiteo Cyber Score in February 2026 ??
What was SAPPI's A.I Rankiteo Cyber Score in January 2026 ??
What was SAPPI's A.I Rankiteo Cyber Score in December 2025 ??
What was SAPPI's A.I Rankiteo Cyber Score in November 2025 ??
What was SAPPI's A.I Rankiteo Cyber Score in October 2025 ??
What was SAPPI's A.I Rankiteo Cyber Score in September 2025 ??
What was SAPPI's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on SAPPI's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with SAPPI ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view SAPPI's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?