{“lastseen”:”2025-12-29T10:05:13″,”description”:”\\n\\n## Overview of the attacks\\n\\nIn mid-2025, we identified a malicious driver file on computer systems in Asia. The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys.\\n\\nOur analysis indicates that the final payload injected by the driver is a new sample of the ToneShell backdoor, which connects to the attacker’s servers and provides a reverse shell, along with other capabilities. The ToneShell backdoor is a tool known to be used exclusively by the HoneyMyte (aka Mustang Panda or Bronze President) APT actor and is often used in cyberespionage campaigns targeting government organizations, particularly in Southeast and East Asia.\\n\\nThe command-and-control servers for the ToneShell backdoor used in this campaign were registered in September 2024 via NameCheap services, and we suspect the attacks themselves to have begun in February 2025. We’ve observed through our telemetry that the new ToneShell backdoor is frequently employed in cyberespionage campaigns against government organizations in Southeast and East Asia, with Myanmar and Thailand being the most heavily targeted.\\n\\nNotably, nearly all affected victims had previously been infected with other HoneyMyte tools, including the ToneDisk USB worm, PlugX, and older variants of ToneShell. Although the initial access vector remains unclear, it’s suspected that the threat actor leveraged previously compromised machines to deploy the malicious driver.\\n\\n## Compromised digital certificate\\n\\nThe driver file is signed with a digital certificate from **Guangzhou Kingteller Technology Co., Ltd.** , with a serial number of **08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F**. The certificate was valid from August 2012 until 2015.\\n\\nWe found multiple other malicious files signed with the same certificate which didn’t show any connections to the attacks described in this article. Therefore, we believe that other threat actors have been using it to sign their malicious tools as well. The following image shows the details of the certificate.\\n\\n\\n\\n## Technical details of the malicious driver\\n\\nThe filename used for the driver on the victim’s machine is **ProjectConfiguration.sys**. The registry key created for the driver’s service uses the same name, **ProjectConfiguration.**\\n\\nThe malicious driver contains two user-mode shellcodes, which are embedded into the .data section of the driver’s binary file. The shellcodes are executed as separate user-mode threads. The rootkit functionality protects both the driver’s own module and the user-mode processes into which the backdoor code is injected, preventing access by any process on the system.\\n\\n### API resolution\\n\\nTo obfuscate the actual behavior of the driver module, the attackers used dynamic resolution of the required API addresses from hash values.\\n\\nThe malicious driver first retrieves the base address of the **ntoskrnl.exe** and **fltmgr.sys** by calling **ZwQuerySystemInformation** with the **SystemInformationClass** set to **SYSTEM_MODULE_INFORMATION**. It then iterates through this system information and searches for the desired DLLs by name, noting the **ImageBaseAddress** of each.\\n\\nOnce the base addresses of the libraries are obtained, the driver uses a simple hashing algorithm to dynamically resolve the required API addresses from **ntoskrnl.exe** and **fltmgr.sys**.\\n\\nThe hashing algorithm is shown below. The two variants of the seed value provided in the comment are used in the shellcodes and the final payload of the attack.\\n\\n\\n\\n### Protection of the driver file\\n\\nThe malicious driver registers itself with the Filter Manager using **FltRegisterFilter** and sets up a pre-operation callback. This callback inspects I\/O requests for **IRP_MJ_SET_INFORMATION** and triggers a malicious handler when certain **FileInformationClass** values are detected. The handler then checks whether the targeted file object is associated with the driver; if it is, it forces the operation to fail by setting **IOStatus** to **STATUS_ACCESS_DENIED**. The relevant **FileInformationClass** values include:\\n\\n * FileRenameInformation\\n * FileDispositionInformation\\n * FileRenameInformationBypassAccessCheck\\n * FileDispositionInformationEx\\n * FileRenameInformationEx\\n * FileRenameInformationExBypassAccessCheck\\n\\n\\n\\nThese classes correspond to file-delete and file-rename operations. By monitoring them, the driver prevents itself from being removed or renamed \u2013 actions that security tools might attempt when trying to quarantine it.\\n\\n### Protection of registry keys\\n\\nThe driver also builds a global list of registry paths and parameter names that it intends to protect. This list contains the following entries:\\n\\n * **ProjectConfiguration \\n**\\n * **ProjectConfiguration\\\\Instances \\n**\\n * **ProjectConfiguration Instance**\\n\\n\\n\\nTo guard these keys, the malware sets up a **RegistryCallback** routine, registering it through **CmRegisterCallbackEx**. To do so, it must assign itself an _altitude_ value. Microsoft governs altitude assignments for mini-filters, grouping them into Load Order categories with predefined altitude ranges. A filter driver with a low numerical altitude is loaded into the I\/O stack below filters with higher altitudes. The malware uses a hardcoded starting point of **330024** and creates altitude strings in the format **330024.%l** , where _%l_ ranges from 0 to 10,000.\\n\\nThe malware then begins attempting to register the callback using the first generated altitude. If the registration fails with **STATUS_FLT_INSTANCE_ALTITUDE_COLLISION** , meaning the altitude is already taken, it increments the value and retries. It repeats this process until it successfully finds an unused altitude.\\n\\nThe callback monitors four specific registry operations. Whenever one of these operations targets a key from its protected list, it responds with **0xC0000022 (STATUS_ACCESS_DENIED)** , blocking the action. The monitored operations are:\\n\\n * **RegNtPreCreateKey \\n**\\n * **RegNtPreOpenKey \\n**\\n * **RegNtPreCreateKeyEx \\n**\\n * **RegNtPreOpenKeyEx**\\n\\n\\n\\nMicrosoft designates the **320000\u2013329999** altitude range for the _FSFilter Anti-Virus_ Load Order Group. The malware’s chosen altitude exceeds this range. Since filters with lower altitudes sit deeper in the I\/O stack, the malicious driver intercepts file operations before legitimate low-altitude filters like antivirus components, allowing it to circumvent security checks.\\n\\nFinally, the malware tampers with the altitude assigned to **WdFilter** , a key Microsoft Defender driver. It locates the registry entry containing the driver’s altitude and changes it to **0** , effectively preventing WdFilter from being loaded into the I\/O stack.\\n\\n### Protection of user-mode processes\\n\\nThe malware sets up a list intended to hold protected process IDs (PIDs). It begins with 32 empty slots, which are filled as needed during execution. A status flag is also initialized and set to 1 to indicate that the list starts out empty.\\n\\nNext, the malware uses **ObRegisterCallbacks** to register two callbacks that intercept process-related operations. These callbacks apply to both **OB_OPERATION_HANDLE_CREATE** and **OB_OPERATION_HANDLE_DUPLICATE** , and both use a malicious pre-operation routine.\\n\\nThis routine checks whether the process involved in the operation has a PID that appears in the protected list. If so, it sets the **DesiredAccess** field in the **OperationInformation** structure to 0, effectively denying any access to the process.\\n\\nThe malware also registers a callback routine by calling **PsSetCreateProcessNotifyRoutine**. These callbacks are triggered during every process creation and deletion on the system. This malware’s callback routine checks whether the parent process ID (PPID) of a process being deleted exists in the protected list; if it does, the malware removes that PPID from the list. This eventually removes the rootkit protection from a process with an injected backdoor, once the backdoor has fulfilled its responsibilities.\\n\\n### Payload injection\\n\\nThe driver delivers two user-mode payloads.\\n\\n**The first payload** spawns an _svchost_ process and injects a small delay-inducing shellcode. The PID of this new _svchost_ instance is written to a file for later use.\\n\\n**The second payload** is the final component \u2013 the ToneShell backdoor \u2013 and is later injected into that same _svchost_ process.\\n\\n**Injection workflow:**\\n\\n\\n\\nThe malicious driver searches for a high-privilege target process by iterating through PIDs and checking whether each process exists and runs under `SeLocalSystemSid`. Once it finds one, it customizes the first payload using random event names, file names, and padding bytes, then creates a named event and injects the payload by attaching its current thread to the process, allocating memory, and launching a new thread.\\n\\nAfter injection, it waits for the payload to signal the event, reads the PID of the newly created _svchost_ process from the generated file, and adds it to its protected process list. It then similarly customizes the second payload (ToneShell) using random event name and random padding bytes, then creates a named event and injects the payload by attaching to the process, allocating memory, and launching a new thread.\\n\\nOnce the ToneShell backdoor finishes execution, it signals the event. The malware then removes the _svchost_ PID from the protected list, waits 10 seconds, and attempts to terminate the process.\\n\\n## ToneShell backdoor\\n\\nThe final stage of the attack deploys **ToneShell** , a backdoor previously linked to operations by the HoneyMyte APT group and discussed in earlier reporting (see Malpedia and MITRE). Notably, this is the first time we’ve seen ToneShell delivered through a **kernel-mode loader** , giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools.\\n\\nEarlier ToneShell variants generated a 16-byte GUID using `CoCreateGuid` and stored it as a host identifier. In contrast, this version checks for a file named `C:\\\\ProgramData\\\\MicrosoftOneDrive.tlb`, validating a 4-byte marker inside it. If the file is absent or the marker is invalid, the backdoor derives a new pseudo-random 4-byte identifier using system-specific values (computer name, tick count, and PRNG), then creates the file and writes the marker. This becomes the unique ID for the infected host.\\n\\nThe samples we have analyzed contact two command-and-control servers:\\n\\n * **avocadomechanism[.]com \\n**\\n * **potherbreference[.]com**\\n\\n\\n\\nToneShell communicates with its C2 over raw TCP on port 443 while disguising traffic using **fake TLS headers**. This version imitates the first bytes of a TLS 1.3 record (`0x17 0x03 0x04`) instead of the TLS 1.2 pattern used previously. After this three-byte marker, each packet contains a size field and an encrypted payload.\\n\\n**Packet layout:**\\n\\n * **Header (3 bytes):** Fake TLS marker\\n * **Size (2 bytes):** Payload length\\n * **Payload:** Encrypted with a rolling XOR key\\n\\n\\n\\nThe backdoor supports a set of remote operations, including file upload\/download, remote shell functionality, and session control. The command set includes:\\n\\n**Command ID** | **Description** \\n—|— \\n0x1 | Create temporary file for incoming data \\n0x2 \/ 0x3 | Download file \\n0x4 | Cancel download \\n0x7 | Establish remote shell via pipe \\n0x8 | Receive operator command \\n0x9 | Terminate shell \\n0xA \/ 0xB | Upload file \\n0xC | Cancel upload \\n0xD | Close connection \\n \\n## Conclusion\\n\\nWe assess with high confidence that the activity described in this report is linked to the **HoneyMyte** threat actor. This conclusion is supported by the use of the **ToneShell** backdoor as the final-stage payload, as well as the presence of additional tools long associated with HoneyMyte \u2013 such as **PlugX** , and the **ToneDisk** USB worm \u2013 on the impacted systems.\\n\\nHoneyMyte’s 2025 operations show a noticeable evolution toward using **kernel-mode injectors** to deploy ToneShell, improving both stealth and resilience. In this campaign, we observed a new ToneShell variant delivered through a kernel-mode driver that carries and injects the backdoor directly from its embedded payload. To further conceal its activity, the driver first deploys a small user-mode component that handles the final injection step. It also uses multiple obfuscation techniques, callback routines, and notification mechanisms to hide its API usage and track process and registry activity, ultimately strengthening the backdoor’s defenses.\\n\\nBecause the shellcode executes entirely in memory, **memory forensics** becomes essential for uncovering and analyzing this intrusion. Detecting the injected shellcode is a key indicator of ToneShell’s presence on compromised hosts.\\n\\n## Recommendations\\n\\nTo protect themselves against this threat, organizations should:\\n\\n * Implement robust network security measures, such as firewalls and intrusion detection systems.\\n * Use advanced threat detection tools, such as endpoint detection and response (EDR) solutions.\\n * Provide regular security awareness training to employees.\\n * Conduct regular security audits and vulnerability assessments to identify and remediate potential vulnerabilities.\\n * Consider implementing a security information and event management (SIEM) system to monitor and analyze security-related data.\\n\\n\\n\\nBy following these recommendations, organizations can reduce their risk of being compromised by the HoneyMyte APT group and other similar threats.\\n\\n## Indicators of Compromise\\n\\n_More indicators of compromise, as well as any updates to these, are available to the customers of ourAPT intelligence reporting service. If you are interested, please contact intelreports@kaspersky.com._\\n\\n36f121046192b7cac3e4bec491e8f1b5 AppvVStram_.sys \\nfe091e41ba6450bcf6a61a2023fe6c83 AppvVStram_.sys \\nabe44ad128f765c14d895ee1c8bad777 ProjectConfiguration.sys \\navocadomechanism[.]com ToneShell C2 \\npotherbreference[.]com ToneShell C2″,”published”:”2025-12-29T10:00:35″,”modified”:”2025-12-29T10:00:35″,”type”:”securelist”,”title”:”The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor”,”source”:””,”references”:””,”id”:”SECURELIST:B5428742768FD8555C1F64A00D7F2C16″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/honeymyte-kernel-mode-rootkit\/118590\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-29T10:05:13″,”description”:”\\n\\n## Overview of the attacks\\n\\nIn mid-2025, we identified a malicious driver file on computer systems in Asia. The driver file is signed with an old,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,136,7,11,5],"class_list":["post-33095","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n