A Chinese-linked threat group tied to the HoneyMyte, also known as Mustang Panda or Bronze President, is using a new kernel rootkit to hide its ToneShell backdoor.
The campaign has hit government networks across Southeast and East Asia, with the heaviest impact in Myanmar and Thailand. The goal is long-term spying, not quick money theft.
The attack starts with a malicious driver, dropped on already compromised Windows systems and loaded as a mini‑filter driver under the name ProjectConfiguration.sys.
The driver is signed with an old, stolen certificate from Guangzhou Kingteller Technology Co., Ltd., which helps it look trusted to the operating system and some security tools.
.webp "Chinese Hackers Use Rootkit to Hide ToneShell Malware Activity 2")
Securelist researchers identified that this driver does not only load the ToneShell backdoor, but also shields the whole toolset from security scans.
They linked the campaign to earlier HoneyMyte activity because victims often had other group tools present, such as the ToneDisk USB worm, PlugX, and older ToneShell builds.
Once loaded, the driver injects ToneShell into a high‑privilege svchost.exe process, then hides both its own file and the new process.
It hooks file and registry operations so any attempt to delete or rename the driver, or to change its service keys, returns STATUS_ACCESS_DENIED at kernel level.
It also tampers with Microsoft Defender’s WdFilter altitude so that its own filter sits deeper in the stack, letting it see and block operations before many security engines.
Rootkit-Driven Infection and Stealth
The driver carries two shellcodes inside its .data section. The first creates a new svchost.exe instance, writes its process ID to disk, and prepares shared event names and file paths.
The second shellcode is the ToneShell backdoor itself, injected into that svchost process and added to a protected process list so other tools cannot open a handle to it.
ToneShell then talks to command‑and‑control servers over raw TCP on port 443, faking a TLS 1.3 record with a simple header and XOR‑encrypted payload:-
Header: 0x17 0x03 0x04
Length: uint16
Body: XOR_encrypted_dataThis comprehensive technical breakdown indicates a clear shift by HoneyMyte toward kernel‑level stealth, making memory forensics and rootkit‑aware detection essential on high‑value government networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
