Netcrook Logo
👤 AGONY
🗓️ 30 Dec 2025   🌍 Asia

Shadowed in the Kernel: Chinese Espionage Group Unleashes Stealth Rootkit Against Southeast Asian Governments

Subtitle: A notorious APT group ratchets up its cyber offensive with a rootkit-powered backdoor, evading security controls and targeting sensitive state networks.

Just when defenders thought they had a handle on Chinese cyberespionage, the HoneyMyte group - also known as Mustang Panda - has rewritten the playbook. In a campaign that reads like a cyber-thriller, these hackers have deployed a sophisticated rootkit, cloaking their infamous ToneShell backdoor from even the sharpest digital eyes. Government agencies in Myanmar and Thailand are the latest pawns in this high-stakes contest for control, as adversaries exploit stolen certificates and kernel-level trickery to burrow deep beneath the radar.

Fast Facts

  • Attackers used a stolen digital certificate from Guangzhou Kingteller Technology to sign a malicious driver named ProjectConfiguration.sys.
  • The rootkit operates at the kernel level, making it exceptionally difficult to detect or remove.
  • Victims include government organizations in Myanmar and Thailand, with evidence of previous HoneyMyte malware infections.
  • The campaign’s infrastructure was set up in September 2024, using NameCheap-registered domains to control infected systems.
  • ToneShell’s new variant leverages fake TLS 1.3 headers and memory-only execution to avoid traditional detection.

Inside the Attack: Anatomy of a Stealth Operation

Researchers tracking the HoneyMyte APT group have uncovered a leap in their technical prowess: the use of a kernel-mode rootkit to deploy the ToneShell backdoor. This marks the first time ToneShell has been seen delivered via such a sophisticated loader, signaling a new era in Chinese state-linked cyber operations.

The operation hinges on a malicious driver, ProjectConfiguration.sys, signed with a digital certificate pilfered from a legitimate Chinese company. The certificate itself, long expired, has been observed signing unrelated malware - evidence that it’s circulating among multiple threat actors. This driver acts as a mini-filter, intercepting and denying file and registry operations that could expose the malware. It even tampers with the Microsoft Defender WdFilter driver, sabotaging attempts by security software to load and scan for threats.

For the targets - primarily government agencies already compromised by earlier HoneyMyte tools like PlugX and ToneDisk - the new rootkit is a nightmare. It places itself high in the system’s filter stack, blocks forensic tools from accessing key processes, and keeps the ToneShell payload invisible. The backdoor’s latest evolution swaps its host identifier mechanism and adopts fake TLS 1.3 headers for command-and-control, making its traffic blend seamlessly into normal encrypted communications.

Because the attack operates almost entirely in memory and shields itself at the kernel level, traditional antivirus and endpoint protection are unlikely to spot it. Only advanced memory forensics and behavioral detection stand a chance - raising the stakes for defenders across Asia’s public sector.

Conclusion: Raising the Bar for Cyber Defense

The HoneyMyte campaign is a chilling reminder that APT groups are constantly evolving - adapting, innovating, and exploiting every gap in the digital armor. For the governments of Southeast and East Asia, the message is clear: only by embracing memory forensics, behavioral analytics, and relentless vigilance can they hope to expose threats that hide in the shadows of the operating system.

WIKICROOK

  • Rootkit: A rootkit is stealthy malware that hides itself on a device, allowing attackers to secretly control the system and evade detection.
  • Kernel: The kernel is the core of an operating system, managing hardware and software resources to ensure efficient and secure system operation.
  • Digital certificate: A digital certificate is an electronic document that verifies the identity of websites or programs, helping ensure secure and trusted online communication.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Memory forensics: Memory forensics analyzes a computer’s RAM to uncover evidence of cyberattacks, hidden malware, or unauthorized activity during cybersecurity investigations.
Chinese Espionage Rootkit Cybersecurity
AGONY AGONY
Elite Offensive Security Commander
← Back to news