The HoneyMyte APT now protects malware with a kernel-mode rootkit

Dec. 29, 2025, 1:51 p.m.

Description

In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.

External References

https://otx.alienvault.com/pulse/69528092ee9eed9c6d16d25d
https://securelist.com/honeymyte-kernel-mode-rootkit/118590/
Tags
apt
rootkit
plugx
toneshell
evasion techniques
2025-12-29
tonedisk

Date

  • Created: Dec. 29, 2025, 1:22 p.m.
  • Published: Dec. 29, 2025, 1:22 p.m.
  • Modified: Dec. 29, 2025, 1:51 p.m.

Attack Patterns

  • PlugX
  • ToneDisk
  • TONESHELL
  • PlugX - S0013
  • HoneyMyte

Additional Informations

  • Government
  • avocadomechanism.com
  • potherbreference.com
  • Myanmar
  • Thailand