ALL POSTS

Key Findings HoneyMyte, also known as Mustang Panda or Bronze President, has deployed a sophisticated kernel-mode rootkit to infiltrate government networks in Southeast and East Asia. The rootkit, named ProjectConfiguration.sys, is signed with a stolen digital certificate to bypass security checks. The rootkit acts as a "bodyguard" for HoneyMyte's malware, including the group's signature backdoor ToneShell, by manipulating driver loading order to blind security software like

Key Findings Mustang Panda (aka HoneyMyte, Camaro Dragon, RedDelta, Bronze President) used a signed kernel-mode rootkit driver to deploy its ToneShell backdoor in attacks targeting government entities in Southeast and East Asia, especially Myanmar and Thailand. The driver file, named "ProjectConfiguration.sys", is signed with a stolen or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd. (serial number 08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F). T