The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor

This report describes a mid-2025 HoneyMyte (aka Mustang Panda / Bronze President) campaign in which a signed kernel-mode driver (ProjectConfiguration.sys) — using a compromised Guangzhou Kingteller certificate — registers as a mini-filter and implements rootkit protections to inject and persist a new ToneShell backdoor into high-privilege svchost processes. The driver dynamically resolves kernel APIs, blocks file/registry operations and process access to protect malicious artifacts, tampers with Microsoft Defender’s WdFilter altitude, and deploys ToneShell which communicates to avocadomechanism.com and potherbreference.com over faux-TLS TCP on port 443; victims are primarily government organizations in Southeast and East Asia, and detection requires memory forensics to find in-memory shellcode and injected payloads.