Executive Summary

Research published on December 26, 2025, reveals a significant evolution in the tactics of the HoneyMyte APT group (also known as Mustang Panda and Bronze President). This China-linked cyber-espionage actor has integrated a custom kernel-mode rootkit into its attack chain to achieve unparalleled stealth and persistence. The rootkit's primary function is to protect a new variant of the group's proprietary ToneShell backdoor. By operating in kernel space, the malware can effectively hide its own files, processes, and registry entries from user-mode security solutions like antivirus and EDR agents. This new capability has been deployed in targeted attacks against government organizations in Southeast Asia, particularly Myanmar and Thailand, representing a marked increase in the group's sophistication.

Threat Overview

HoneyMyte is a well-known threat actor focused on intelligence gathering, historically targeting government and non-governmental organizations in Asia. This latest campaign demonstrates a clear investment in developing more advanced capabilities to bypass modern defenses. The use of a kernel-mode rootkit is a complex technique that provides the attacker with deep control over the compromised operating system. The initial access vector for deploying the rootkit is unconfirmed, but it is suspected that the group leverages its existing access on previously compromised machines, where tools like the PlugX RAT and ToneDisk USB worm have been found.

Technical Analysis

The attack employs a sophisticated, multi-component architecture:

1. Rootkit Deployment: The attack begins with the deployment of a malicious driver on the target system. This driver is often signed with a stolen or leaked digital certificate to appear legitimate and bypass driver signature enforcement policies.

2. Kernel-Mode Persistence: The driver registers itself as a mini-filter driver using T1547.006 - Kernel Modules and Extensions. This allows it to intercept and manipulate file system and registry operations. This is a form of T1014 - Rootkit.

3. Malware Concealment: The rootkit's main purpose is to act as a cloaking device. When a security tool or system utility attempts to list files, processes, or registry keys, the rootkit intercepts the request and filters out any entries related to the HoneyMyte malware, making it invisible to the user and many security products.

4. Backdoor Injection: The rootkit deploys a small user-mode component. This component is responsible for injecting the final payload, the ToneShell backdoor, into a legitimate system process. This T1055 - Process Injection allows the backdoor's shellcode to execute entirely in memory, further evading file-based detection.

5. C2 Communication: The ToneShell backdoor communicates with C2 servers that were registered in September 2024, indicating a planned operation. It provides the attackers with remote control over the system for long-term espionage.

Impact Assessment

The use of a kernel-mode rootkit significantly raises the bar for detection and remediation. Standard incident response procedures may fail because the malware's artifacts are hidden from view. A compromised system can remain under attacker control for extended periods, allowing for deep and persistent intelligence gathering. For the targeted government entities, this means a high risk of sustained exfiltration of sensitive state secrets, diplomatic communications, and strategic plans. Remediation is also more complex, often requiring offline analysis and potentially a complete OS re-installation to ensure the rootkit is fully removed.

Cyber Observables for Detection

Detection & Response

• Driver Load Monitoring: Closely monitor the loading of new kernel drivers. Scrutinize any newly installed mini-filter drivers, especially those that are not from well-known security or storage vendors.
• Memory Forensics: Since the ToneShell backdoor runs in memory, memory analysis is a critical detection technique. Tools like Volatility can be used to dump process memory and identify injected code or suspicious memory regions.
• Advanced EDR: Use EDR solutions with capabilities to detect rootkit behavior, such as hooking of system calls or direct kernel object manipulation (DKOM).
• Patching and Hardening: Ensure systems are fully patched, as vulnerabilities are often used to gain the initial privileges needed to load a malicious driver.

Mitigation

• Driver Signature Enforcement: Enforce strict driver signature policies. While HoneyMyte used signed drivers, this can prevent the loading of unsigned or illegitimately signed drivers.
• Application Control: Use application control to prevent the execution of the initial dropper that installs the rootkit, aligning with D3-EAL: Executable Allowlisting.
• Virtualization-Based Security (VBS): On modern Windows systems, enable VBS and Hypervisor-Protected Code Integrity (HVCI). These features can prevent the loading of malicious kernel-mode drivers.
• Boot Integrity: Utilize Secure Boot to ensure that the OS bootloader and kernel have not been tampered with. This aligns with D3FEND's D3-TBI: TPM Boot Integrity.