HoneyMyte APT Now Protects Malware with a Kernel-Mode Rootkit: Implications for Enterprise Security
Estimated reading time: 15 minutes
Key Takeaways
- The HoneyMyte APT group, also known as Mustang Panda, has adopted a kernel-mode rootkit to deliver and protect its malicious payloads, significantly increasing stealth and resilience.
- This sophisticated rootkit employs compromised digital certificates, dynamic API resolution, and robust self-protection for files, registry keys, and user-mode processes.
- The primary payload, the ToneShell backdoor, gains unprecedented protection, enabling persistent remote access, file manipulation, and direct command execution, while using fake TLS for C2 communication.
- The move to kernel-mode injection challenges traditional security, demanding advanced EDR/XDR, memory forensics, driver signature enforcement, and network segmentation.
- Organizations must embrace an intelligence-driven defense, proactive threat hunting, updated incident response plans, and supply chain security to counter these advanced evasion techniques.
Table of Contents
The threat landscape constantly shifts, with advanced persistent threat (APT) groups refining their methods to bypass security controls. A significant development in mid-2025 involves the HoneyMyte APT group, also known as Mustang Panda or Bronze President, which has implemented a kernel-mode rootkit to deliver and protect its malicious payloads. This operational adjustment represents a substantial increase in stealth and resilience, requiring organizations to reassess their defense strategies against sophisticated adversaries.
This blog post provides an in-depth analysis of the HoneyMyte APT’s updated tactics, focusing on the technical specifics of their kernel-mode driver and the ToneShell backdoor it deploys. Understanding these mechanisms is essential for developing effective countermeasures and protecting critical assets.
The HoneyMyte APT Now Protects Malware with a Kernel-Mode Rootkit
HoneyMyte’s recent operations demonstrate a shift towards more evasive techniques. The core of this new approach is a malicious driver file identified on computer systems predominantly in Asia, with targeted campaigns against government organizations in Southeast and East Asia, particularly Myanmar and Thailand. This driver, operating in kernel-mode, establishes a persistent presence and actively works to evade detection, injecting a backdoor Trojan into system processes while shielding its own malicious files, user-mode processes, and critical registry keys.
Historical context indicates that nearly all affected victims had prior exposure to other HoneyMyte tools, including the ToneDisk USB worm, PlugX, and earlier iterations of ToneShell. While the initial access vector for these updated attacks remains unclear, it is suspected that the threat actor leveraged previously compromised machines to deploy the kernel-mode driver. The command-and-control (C2) servers for the new ToneShell variant were registered in September 2024, with attacks estimated to have commenced in February 2025. This timeline suggests a period of preparation and refinement by the APT group before deploying their enhanced toolkit.
The primary objective of this sophisticated kernel-mode operation is the injection of a new sample of the ToneShell backdoor. This backdoor facilitates a reverse shell capability and other functions, allowing persistent remote access and control over compromised systems. The use of a kernel-mode driver provides ToneShell with a fortified layer of protection, making it significantly harder for user-mode security solutions to detect and remove.
Dissecting the Kernel-Mode Driver
The malicious driver, often found with the filename “ProjectConfiguration.sys” and its associated service registry key “ProjectConfiguration,” represents a complex piece of malware engineered for stealth and persistence. Its technical design employs several mechanisms to embed itself deeply within the operating system, bypassing conventional security measures.
Compromised Digital Certificate
A key aspect of the driver’s legitimacy in the eyes of the operating system is its digital signature. The driver file is signed with a digital certificate belonging to Guangzhou Kingteller Technology Co., Ltd., identified by the serial number 08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F. This certificate was valid from August 2012 until 2015. The use of an old, likely stolen or leaked, digital certificate allows the driver to appear as a legitimate, signed component during its installation and initial execution. The discovery of other unrelated malicious files signed with the same certificate suggests that this certificate has been broadly compromised and utilized by various threat actors for code signing purposes.
Obfuscation and API Resolution
To obscure its internal workings and hinder analysis, the attackers implemented dynamic resolution of required API addresses. This method prevents static analysis from easily identifying the driver’s functions. The malicious driver initially obtains the base addresses of crucial system libraries such as ntoskrnl.exe and fltmgr.sys. It achieves this by invoking ZwQuerySystemInformation with SYSTEM_MODULE_INFORMATION as the SystemInformationClass, then iterating through the returned system information to locate the desired DLLs by name and retrieve their ImageBaseAddress. Following this, a simple hashing algorithm is employed to dynamically resolve the specific API addresses required from these libraries. This technique ensures that the driver’s actual behavior is not immediately apparent, complicating detection by traditional signature-based security tools.
File System Protection
The kernel-mode driver actively defends itself against removal or modification. It achieves this by registering with the Filter Manager via FltRegisterFilter and establishing a pre-operation callback routine. This callback inspects I/O requests for IRP_MJ_SET_INFORMATION operations. When specific FileInformationClass values are detected, indicative of file-delete or file-rename operations, the malicious handler activates. It then verifies if the target file object is associated with the driver itself. If a match is found, the driver forces the operation to fail by setting IOStatus to STATUS_ACCESS_DENIED. The monitored FileInformationClass values include FileRenameInformation, FileDispositionInformation, FileRenameInformationBypassAccessCheck, FileDispositionInformationEx, FileRenameInformationEx, and FileRenameInformationExBypassAccessCheck. This mechanism prevents security tools or system administrators from easily quarantining or deleting the malicious driver file.
Registry Key Defense Mechanisms
Beyond file system protection, the driver also shields its critical registry entries. It constructs a global list of registry paths and parameter names designated for protection, specifically including “ProjectConfiguration,” “ProjectConfiguration\Instances,” and “ProjectConfiguration Instance.” To guard these keys, the malware registers a RegistryCallback routine using CmRegisterCallbackEx.
A critical aspect of this defense is the assignment of an altitude value to the mini-filter driver. Microsoft defines altitude assignments for mini-filters, categorizing them into Load Order groups with predefined ranges. A filter with a lower numerical altitude sits deeper in the I/O stack. The malware uses a hardcoded starting point of 330024 and generates altitude strings in the format 330024.%l, where %l ranges from 0 to 10,000. It attempts to register the callback with the first generated altitude and, if it fails due to STATUS_FLT_INSTANCE_ALTITUDE_COLLISION, it increments the value and retries until an unused altitude is found.
The callback monitors four specific registry operations: RegNtPreCreateKey, RegNtPreOpenKey, RegNtPreCreateKeyEx, and RegNtPreOpenKeyEx. If any of these operations target a key from the protected list, the driver responds with 0xC0000022 (STATUS_ACCESS_DENIED), effectively blocking the action. The malware’s chosen altitude, exceeding the 320000-329999 range designated for the FSFilter Anti-Virus Load Order Group, allows it to intercept file operations before legitimate low-altitude filters, such as antivirus components, can act, thereby circumventing security checks.
Furthermore, the driver directly interferes with Microsoft Defender by locating the registry entry containing the altitude for WdFilter (a key Microsoft Defender driver) and changing it to 0. This action prevents WdFilter from loading into the I/O stack, further degrading system security.
User-Mode Process Shielding
The malicious driver extends its protection to user-mode processes that it manipulates or injects code into. It maintains a list of protected process IDs (PIDs), initially with 32 empty slots that are populated during execution. A status flag indicates whether the list is empty.
The malware utilizes ObRegisterCallbacks to establish two callbacks that intercept process-related operations: OB_OPERATION_HANDLE_CREATE and OB_OPERATION_HANDLE_DUPLICATE. Both callbacks employ a malicious pre-operation routine. This routine determines if the PID of the process involved in the operation exists within the protected list. If a match is found, it sets the DesiredAccess field in the OperationInformation structure to 0, effectively denying any access to that process. This prevents security tools from inspecting or terminating the protected processes.
Additionally, the driver registers a callback routine by calling PsSetCreateProcessNotifyRoutine. These callbacks activate upon every process creation and deletion. The malware’s routine checks if the parent process ID (PPID) of a process being deleted is present in its protected list. If so, the PPID is removed from the list. This mechanism eventually removes the rootkit protection from a process with an injected backdoor once the backdoor has completed its tasks.
Payload Delivery and Injection
The driver is responsible for delivering two user-mode payloads. The first payload initiates an svchost process and injects a small, delay-inducing shellcode. The PID of this new svchost instance is recorded in a file for subsequent use. The second payload, the ToneShell backdoor, is then injected into this same svchost process.
The injection workflow is a multi-step process:
- Target Identification: The malicious driver searches for a high-privilege target process by iterating through PIDs and confirming that each process runs under
SeLocalSystemSid. - First Payload Injection: Once a suitable process is identified, the driver customizes the first payload using random event names, file names, and padding bytes. It then creates a named event and injects the payload by attaching its current thread to the target process, allocating memory, and launching a new thread.
- Process Protection: After injection, the driver waits for the payload to signal the event. It then reads the PID of the newly created
svchostprocess from the generated file and adds it to its protected process list. - Second Payload Injection: The driver similarly customizes the ToneShell backdoor (second payload) with random event names and padding bytes. It creates another named event and injects ToneShell by attaching to the
svchostprocess, allocating memory, and launching a new thread. - Cleanup: Upon ToneShell’s completion, it signals the event. The malware then removes the
svchostPID from the protected list, waits for 10 seconds, and attempts to terminate thesvchostprocess.
ToneShell Backdoor: A Deeper Look
The ToneShell backdoor represents the final stage of this attack chain. While previously associated with HoneyMyte APT operations and documented in sources like Malpedia and MITRE, its current delivery method via a kernel-mode loader signifies a tactical upgrade. This approach provides ToneShell with an unprecedented level of protection from user-mode monitoring and benefits from the rootkit capabilities of its driver, which conceals its activities from many security tools.
Persistence and Host Identification
Earlier variants of ToneShell typically generated a 16-byte GUID using CoCreateGuid for host identification. The new version employs a different method. It checks for the presence of a file named C:\ProgramData\MicrosoftOneDrive.tlb and validates a 4-byte marker within it. If the file is absent or the marker is invalid, the backdoor generates a new pseudo-random 4-byte identifier. This identifier is derived from system-specific values, including the computer name, tick count, and a pseudo-random number generator (PRNG). The backdoor then creates the MicrosoftOneDrive.tlb file and writes this new 4-byte marker, establishing a unique ID for the infected host.
Stealthy C2 Communication
ToneShell communicates with its C2 servers over raw TCP on port 443, employing fake TLS headers to disguise its traffic. This version of ToneShell notably imitates the first three bytes of a TLS 1.3 record (0x17 0x03 0x04), a departure from the TLS 1.2 pattern observed in previous variants. This change reflects an adaptation to contemporary network traffic patterns to blend in more effectively. The C2 domains identified in this campaign include avocadomechanism[.]com and potherbreference[.]com.
The packet layout for C2 communication consists of:
- Header (3 bytes): The fake TLS marker.
- Size (2 bytes): The length of the encrypted payload.
- Payload: The actual data, encrypted using a rolling XOR key.
Command and Control Capabilities
ToneShell offers a range of command and control capabilities, enabling comprehensive remote management of compromised systems. The identified command IDs and their descriptions are:
| Command ID | Description |
|---|---|
| 0x1 | Create temporary file for incoming data |
| 0x2 / 0x3 | Download file |
| 0x4 | Cancel download |
| 0x7 | Establish remote shell via pipe |
| 0x8 | Receive operator command |
| 0x9 | Terminate shell |
| 0xA / 0xB | Upload file |
| 0xC | Cancel upload |
| 0xD | Close connection |
These capabilities grant the attackers extensive control, from data exfiltration and file manipulation to direct remote execution through a reverse shell. The ability to create temporary files, download/upload data, and establish a remote shell makes ToneShell a versatile tool for cyberespionage.
The Broader Implications for Cybersecurity
The HoneyMyte APT’s move to kernel-mode injectors for ToneShell distribution represents a substantial challenge to traditional cybersecurity defenses. Kernel-mode rootkits operate with the highest privileges on a system, allowing them to manipulate core operating system functions, hide their presence, and interfere with security software. This type of attack circumvents many conventional host-based security tools that primarily operate in user-mode.
The use of compromised digital certificates, dynamic API resolution, and sophisticated self-protection mechanisms for files and registry keys demonstrates a commitment to operational security by the threat actor. Furthermore, the ability to disable or bypass legitimate security drivers like Microsoft Defender’s WdFilter signifies a direct attack on system integrity.
The stealth of these operations means that standard breach detection tools may struggle to identify the initial compromise or the persistent presence of the rootkit. The entirely in-memory execution of shellcode for payload injection further complicates detection, making traditional disk-based forensic analysis less effective. Organizations must recognize that threat actors are continually innovating, rendering reliance on static, perimeter-focused defenses increasingly insufficient.
Practical Takeaways and Mitigations
Defending against sophisticated threats like the HoneyMyte APT’s kernel-mode rootkit requires an advanced and integrated approach to cybersecurity. Organizations must move beyond basic security hygiene and implement strategies that address advanced evasion techniques.
For both technical and non-technical readers, understanding the depth of these attacks is crucial for allocating resources and prioritizing defense.
Technical Takeaways
- Advanced Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR): Implement EDR/XDR solutions with strong behavioral analysis capabilities that can detect anomalies at the kernel level. Look for solutions that incorporate
real-time ransomware intelligenceand broader threat intelligence streams to identify suspicious process injections, kernel callbacks, and driver manipulations. - Memory Forensics: Given that the shellcode executes entirely in memory,
memory forensicsbecomes essential for uncovering and analyzing such intrusions. Organizations should develop capabilities for live memory analysis and create memory dumps for post-incident analysis. Detecting injected shellcode is a key indicator of ToneShell’s presence. - Driver Signature Enforcement and Whitelisting: Strictly enforce driver signature requirements. While HoneyMyte used a compromised certificate, robust whitelisting of authorized drivers and monitoring for unusual driver installations or modifications can help.
- Network Segmentation and Monitoring: Implement network segmentation to limit lateral movement. Deploy
cyber threat intelligence platformtools to monitor network traffic for anomalous C2 communications, particularly on non-standard ports or with fake TLS headers, even on common ports like 443.Live ransomware APIcapabilities, while focused on ransomware, often offer similar real-time network traffic analysis that can be adapted to detect other C2 patterns. - Continuous Vulnerability Management and Penetration Testing: Regularly conduct
penetration testingand vulnerability assessments to identify weaknesses that could be exploited for initial access. - Supply Chain Security: Implement robust
supply-chain risk monitoringprotocols. The use of a compromised certificate highlights the need to verify the integrity and provenance of all software components, even those from trusted vendors.
Non-Technical Takeaways and Strategic Considerations
- Intelligence-Driven Defense: Organizations need to integrate comprehensive
cyber threat intelligence platformfeeds into their security operations. This includesdark web monitoring servicecapabilities to detect discussions of new attack techniques, compromised credentials, or leaked certificates.Underground forum intelligenceandtelegram threat monitoringprovide early warnings of new threats and adversary tactics, allowing for proactive defense posture adjustments. - Proactive Threat Hunting: Move from a reactive stance to proactive
breach detectionand threat hunting. This involves actively searching for indicators of compromise (IoCs) and attacker techniques within your environment, rather than waiting for alerts. - Incident Response Planning for Advanced Threats: Update incident response plans to account for kernel-mode rootkits and APT activities. These types of incidents require specialized expertise and tools for containment and eradication.
- Employee Security Awareness: Educate employees about the risks of sophisticated phishing and social engineering campaigns, which are often initial access vectors for APT groups.
- Brand Leak Alerting: Implement
brand leak alertingservices to detect if organizational assets or credentials appear on underground forums or dark web markets, indicating a potential breach or compromise that could be leveraged by APTs.
PurpleOps’ Approach to Advanced Persistent Threats
PurpleOps provides comprehensive solutions designed to address the sophisticated challenges posed by groups like the HoneyMyte APT. Our cyber threat intelligence services offer deep insights into adversary tactics, techniques, and procedures (TTPs), enabling organizations to anticipate and defend against new threats. Through our dark web monitoring and underground forum intelligence capabilities, we actively track threat actor discussions, compromised data, and emerging attack methodologies, providing clients with crucial early warnings.
Our breach detection and red team operations simulate real-world attacks, including those involving kernel-mode rootkits and stealthy payload injection, to identify gaps in existing defenses before adversaries exploit them. We specialize in penetration testing that goes beyond surface-level vulnerabilities, assessing the resilience of systems against advanced evasion techniques. Additionally, our supply-chain information security services help clients mitigate risks associated with compromised third-party components and software integrity. By integrating these services, PurpleOps helps organizations establish a truly robust security posture against the most persistent and technically advanced threats.
For organizations seeking to enhance their defenses against these advanced threats, exploring our platform for comprehensive cybersecurity management and PurpleOps Solutions for tailored solutions is a critical next step. Our expertise extends to understanding and countering sophisticated evasion techniques, providing the clarity and control needed in a complex threat landscape.
Conclusion
The HoneyMyte APT’s adoption of kernel-mode rootkits to protect its ToneShell backdoor marks a significant escalation in offensive capabilities. This shift towards deeply embedded and self-defending malware necessitates a parallel advancement in defensive strategies. Relying on traditional security frameworks alone is insufficient; organizations must adopt an intelligence-driven, proactive, and multi-layered approach that includes advanced detection, robust threat intelligence, and specialized forensic capabilities. Understanding the mechanisms of these sophisticated attacks is the first step towards building a resilient defense.
To learn more about how PurpleOps can help protect your organization from advanced persistent threats and kernel-mode rootkits, explore our platform or PurpleOps Solutions for a detailed consultation.
Frequently Asked Questions
What is a kernel-mode rootkit and why is it significant?
A kernel-mode rootkit operates with the highest privileges on an operating system, allowing it to manipulate core system functions, hide its presence, and interfere with security software. Its significance lies in its ability to evade user-mode security solutions and establish a deep, persistent, and stealthy presence on a compromised system, making detection and removal extremely difficult.
Who is the HoneyMyte APT group?
The HoneyMyte APT group, also known as Mustang Panda or Bronze President, is an advanced persistent threat group. They are known for refining their methods to bypass security controls, and their recent activities involve using kernel-mode rootkits to protect their malicious payloads like the ToneShell backdoor.
What is the ToneShell backdoor used for?
The ToneShell backdoor is a primary payload delivered by the HoneyMyte APT group. It provides attackers with persistent remote access and control over compromised systems. Its capabilities include creating temporary files, downloading and uploading files, and establishing a reverse shell, making it a versatile tool for cyberespionage and data exfiltration.
How does the HoneyMyte rootkit evade detection?
The rootkit employs several evasion techniques: it uses a compromised digital certificate for legitimacy, dynamically resolves API addresses to hinder static analysis, implements file system protection to prevent deletion or modification of its files, shields its critical registry keys, and protects injected user-mode processes from inspection or termination by security tools. It also interferes with legitimate security drivers like Microsoft Defender’s WdFilter.
What are key mitigations against such advanced threats?
Effective mitigations include implementing advanced EDR/XDR solutions with kernel-level behavioral analysis, performing memory forensics, enforcing strict driver signature requirements, network segmentation, and proactive threat hunting. Strategically, organizations should leverage comprehensive threat intelligence platforms, update incident response plans for advanced threats, and educate employees on social engineering risks.