{"id":339,"date":"2025-12-29T10:09:50","date_gmt":"2025-12-29T10:09:50","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/29\/the-honeymyte-apt-evolves-with-a-kernel-mode-rootkit-and-a-toneshell-backdoor\/"},"modified":"2025-12-29T10:09:50","modified_gmt":"2025-12-29T10:09:50","slug":"the-honeymyte-apt-evolves-with-a-kernel-mode-rootkit-and-a-toneshell-backdoor","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/29\/the-honeymyte-apt-evolves-with-a-kernel-mode-rootkit-and-a-toneshell-backdoor\/","title":{"rendered":"The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor"},"content":{"rendered":"
\n

\"\"<\/p>\n

Overview of the attacks<\/h2>\n

In mid-2025, we identified a malicious driver file on computer systems in Asia. The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys.<\/p>\n

Our analysis indicates that the final payload injected by the driver is a new sample of the ToneShell backdoor, which connects to the attacker\u2019s servers and provides a reverse shell, along with other capabilities. The ToneShell backdoor is a tool known to be used exclusively by the HoneyMyte (aka Mustang Panda or Bronze President) APT actor and is often used in cyberespionage campaigns targeting government organizations, particularly in Southeast and East Asia.<\/p>\n

The command-and-control servers for the ToneShell backdoor used in this campaign were registered in September 2024 via NameCheap services, and we suspect the attacks themselves to have begun in February 2025. We\u2019ve observed through our telemetry that the new ToneShell backdoor is frequently employed in cyberespionage campaigns against government organizations in Southeast and East Asia, with Myanmar and Thailand being the most heavily targeted.<\/p>\n

Notably, nearly all affected victims had previously been infected with other HoneyMyte tools, including the ToneDisk USB worm, PlugX, and older variants of ToneShell. Although the initial access vector remains unclear, it\u2019s suspected that the threat actor leveraged previously compromised machines to deploy the malicious driver.<\/p>\n

Compromised digital certificate<\/h2>\n

The driver file is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd.<\/strong>, with a serial number of 08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F<\/strong>. The certificate was valid from August 2012 until 2015.<\/p>\n

We found multiple other malicious files signed with the same certificate which didn\u2019t show any connections to the attacks described in this article. Therefore, we believe that other threat actors have been using it to sign their malicious tools as well. The following image shows the details of the certificate.<\/p>\n

\"\"<\/a><\/p>\n

Technical details of the malicious driver<\/h2>\n

The filename used for the driver on the victim\u2019s machine is ProjectConfiguration.sys<\/strong>. The registry key created for the driver\u2019s service uses the same name, ProjectConfiguration.<\/strong><\/p>\n

The malicious driver contains two user-mode shellcodes, which are embedded into the .data section of the driver\u2019s binary file. The shellcodes are executed as separate user-mode threads. The rootkit functionality protects both the driver\u2019s own module and the user-mode processes into which the backdoor code is injected, preventing access by any process on the system.<\/p>\n

API resolution<\/h3>\n

To obfuscate the actual behavior of the driver module, the attackers used dynamic resolution of the required API addresses from hash values.<\/p>\n

The malicious driver first retrieves the base address of the ntoskrnl.exe<\/strong> and fltmgr.sys<\/strong> by calling ZwQuerySystemInformation<\/strong> with the SystemInformationClass<\/strong> set to SYSTEM_MODULE_INFORMATION<\/strong>. It then iterates through this system information and searches for the desired DLLs by name, noting the ImageBaseAddress<\/strong> of each.<\/p>\n

Once the base addresses of the libraries are obtained, the driver uses a simple hashing algorithm to dynamically resolve the required API addresses from ntoskrnl.exe<\/strong> and fltmgr.sys<\/strong>.<\/p>\n

The hashing algorithm is shown below. The two variants of the seed value provided in the comment are used in the shellcodes and the final payload of the attack.<\/p>\n

\"\"<\/a><\/p>\n

Protection of the driver file<\/h3>\n

The malicious driver registers itself with the Filter Manager using FltRegisterFilter<\/strong> and sets up a pre-operation callback. This callback inspects I\/O requests for IRP_MJ_SET_INFORMATION<\/strong> and triggers a malicious handler when certain FileInformationClass<\/strong> values are detected. The handler then checks whether the targeted file object is associated with the driver; if it is, it forces the operation to fail by setting IOStatus<\/strong> to STATUS_ACCESS_DENIED<\/strong>. The relevant FileInformationClass<\/strong> values include:<\/p>\n