The Ghost in the Kernel: How HoneyMyte Weaponized a Rootkit to Hijack Asian Governments

The notorious cyber-espionage group HoneyMyte (also known as Mustang Panda or Bronze President) has dramatically upgraded its arsenal, deploying a sophisticated kernel-mode rootkit to entrench itself deep within government networks in Southeast and East Asia. A new report from Kaspersky Labs details a campaign discovered in mid-2025 that reveals a dangerous evolution in the group’s tactics, prioritizing stealth and resilience above all else.

The campaign, which researchers suspect began in February 2025, heavily targets organizations in Myanmar and Thailand, often re-infecting victims who had previously battled the group’s older tools.

At the heart of this new operation is a malicious driver file named ProjectConfiguration.sys. To bypass standard security checks, the attackers signed the driver with a legitimate but likely stolen digital certificate issued to Guangzhou Kingteller Technology Co., Ltd.—a certificate that had actually expired in 2015.

Once installed, the driver doesn’t just sit there; it acts as a bodyguard for the malware. “The driver file… registers as a mini-filter driver on infected machines,” the report explains. “Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys”.

By manipulating the “altitude” (load order) of system drivers, the malware effectively blinds security software. In a brazen move, it even tampers with Microsoft Defender. “The malware tampers with the altitude assigned to WdFilter, a key Microsoft Defender driver… effectively preventing WdFilter from being loaded into the I/O stack”.

The ultimate goal of this complex setup is to deploy ToneShell, the group’s signature backdoor. However, the delivery method has changed significantly.

“Notably, this is the first time we’ve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring,” Kaspersky researchers noted.

The new variant is designed to blend in with legitimate network traffic. It communicates with command-and-control (C2) servers—such as avocadomechanism[.]com—using fake TLS 1.3 headers, disguising its data exfiltration as secure web traffic.

The choice of targets and tools points clearly to a familiar adversary. “We assess with high confidence that the activity described in this report is linked to the HoneyMyte threat actor,” the report states, citing the use of ToneShell alongside other known tools like PlugX and the ToneDisk USB worm .

The campaign appears to be a concerted effort to maintain long-term access to high-value intelligence targets. “HoneyMyte’s 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy ToneShell, improving both stealth and resilience”.

Because the malware executes entirely in memory and hides behind a kernel driver, traditional detection methods may fail. Defenders are warned that “memory forensics becomes essential for uncovering and analyzing this intrusion”.

Related Posts:

• Mustang Panda Backdoor Exposed: New ToneShell Malware Masquerades as Chrome to Spy on Gov’t & Military
• ToneShell Backdoor Evolves With Anti-Analysis Tricks, Continues Targeting Myanmar
• China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign
• ToneShell Backdoor Targets IISS Defence Summit Attendees in Latest Espionage Campaign