A Chinese language-linked risk group tied to the HoneyMyte, also called Mustang Panda or Bronze President, is utilizing a brand new kernel rootkit to cover its ToneShell backdoor.
The marketing campaign has hit authorities networks throughout Southeast and East Asia, with the heaviest influence in Myanmar and Thailand. The aim is long-term spying, not fast cash theft.
The assault begins with a malicious driver, dropped on already compromised Home windows programs and loaded as a mini‑filter driver beneath the identify ProjectConfiguration.sys.
The motive force is signed with an outdated, stolen certificates from Guangzhou Kingteller Expertise Co., Ltd., which helps it look trusted to the working system and a few safety instruments.
Injection workflow (Supply – Securelist)
Securelist researchers recognized that this driver doesn’t solely load the ToneShell backdoor, but additionally shields the entire toolset from safety scans.
They linked the marketing campaign to earlier HoneyMyte exercise as a result of victims typically had different group instruments current, such because the ToneDisk USB worm, PlugX, and older ToneShell builds.
As soon as loaded, the motive force injects ToneShell right into a excessive‑privilege svchost.exe course of, then hides each its personal file and the brand new course of.
It hooks file and registry operations so any try and delete or rename the motive force, or to alter its service keys, returns STATUS_ACCESS_DENIED at kernel degree.
It additionally tampers with Microsoft Defender’s WdFilter altitude in order that its personal filter sits deeper within the stack, letting it see and block operations earlier than many safety engines.
Rootkit-Pushed An infection and Stealth
The motive force carries two shellcodes inside its .knowledge part. The primary creates a brand new svchost.exe occasion, writes its course of ID to disk, and prepares shared occasion names and file paths.
The second shellcode is the ToneShell backdoor itself, injected into that svchost course of and added to a protected course of record so different instruments can’t open a deal with to it.
ToneShell then talks to command‑and‑management servers over uncooked TCP on port 443, faking a TLS 1.3 report with a easy header and XOR‑encrypted payload:-
Header: 0x17 0x03 0x04
Size: uint16
Physique: XOR_encrypted_data
This complete technical breakdown signifies a transparent shift by HoneyMyte towards kernel‑degree stealth, making reminiscence forensics and rootkit‑conscious detection important on excessive‑worth authorities networks.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
