• Overview of the attacks In mid-2025, we identified a malicious driver file on computer systems in Asia. • The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. • Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys. • Our analysis indicates that the final payload injected by the driver is a new sample of the ToneShell backdoor, which connects to the attacker’s servers and provides a reverse shell, along with other capabilities. • The ToneShell backdoor is a tool known to be used exclusively by the HoneyMyte (aka Mustang Panda or Bronze President) APT actor and is often used in cyberespionage campaigns targeting government organizations, particularly in Southeast and East Asia. • The command-and-control servers for the ToneShell backdoor used in this campaign were registered in September 2024 via NameCheap services, and we suspect the attacks themselves to have begun in February 2025.
Article Summaries:
- In mid‑2025, analysts uncovered a kernel‑mode driver-named ProjectConfiguration.sys-deployed by the HoneyMyte (Mustang Panda) APT on Asian systems. The driver, signed with a stolen 2012‑2015 Guangzhou Kingteller certificate, registers as a mini‑filter driver and injects a new ToneShell backdoor into system processes. ToneShell, a tool exclusive to HoneyMyte, provides reverse shells and other espionage capabilities and has been used against Southeast and East Asian governments, especially Myanmar and Thailand. The command‑and‑control servers were registered via NameCheap in September 2024, and the campaign likely began in February 2025. Victims were often already infected with other HoneyMyte malware, suggesting the driver was dropped from compromised machines.
Sources: