Key Findings

• HoneyMyte, also known as Mustang Panda or Bronze President, has deployed a sophisticated kernel-mode rootkit to infiltrate government networks in Southeast and East Asia.

• The rootkit, named ProjectConfiguration.sys, is signed with a stolen digital certificate to bypass security checks.

• The rootkit acts as a "bodyguard" for HoneyMyte's malware, including the group's signature backdoor ToneShell, by manipulating driver loading order to blind security software like Microsoft Defender.

• The new variant of ToneShell is designed to blend in with legitimate network traffic using fake TLS 1.3 headers, making it harder to detect.

• The campaign targets organizations in Myanmar and Thailand, often re-infecting victims who had previously battled the group's older tools.

Background

HoneyMyte, also known as Mustang Panda or Bronze President, is a notorious cyber-espionage group that has been active in Southeast and East Asia for several years. The group is known for its targeted attacks against government and military organizations in the region.

Kernel-Mode Rootkit: ProjectConfiguration.sys

The core of HoneyMyte's new campaign is a malicious driver file named ProjectConfiguration.sys. To bypass security checks, the attackers signed the driver with a legitimate but likely stolen digital certificate issued to Guangzhou Kingteller Technology Co., Ltd., which had expired in 2015.

Once installed, the driver acts as a "bodyguard" for HoneyMyte's malware. It registers as a mini-filter driver on infected machines and manipulates the "altitude" (load order) of system drivers to effectively blind security software, including Microsoft Defender.

ToneShell Backdoor Deployment

The ultimate goal of this complex setup is to deploy ToneShell, HoneyMyte's signature backdoor. However, the delivery method has changed significantly, with the new variant designed to blend in with legitimate network traffic using fake TLS 1.3 headers.

Targeting and Geographical Focus

The campaign appears to be a concerted effort to maintain long-term access to high-value intelligence targets, primarily in Myanmar and Thailand. Researchers suspect the campaign began in February 2025 and often re-infects victims who had previously battled the group's older tools.

Threat Actor Attribution

The researchers at Kaspersky Labs assess with high confidence that the activity described in the report is linked to the HoneyMyte threat actor, citing the use of ToneShell alongside other known tools like PlugX and the ToneDisk USB worm.

Implications for Defenders

The new kernel-mode rootkit and delivery method pose significant challenges for traditional detection methods. Defenders are warned that memory forensics is essential for uncovering and analyzing this intrusion, as the malware executes entirely in memory and hides behind a kernel driver.

Sources

• https://securityonline.info/the-ghost-in-the-kernel-how-honeymyte-weaponized-a-rootkit-to-hijack-asian-governments/

• https://www.threads.com/@harboot/post/DS9Gf6CDgIT/honeymyte-uses-a-kernel-mode-rootkit-projectconfigurationsys-signed-with-stolen-