In mid-2025, security researchers discovered a malicious driver file on computer systems in Asia, signed with a compromised digital certificate to evade trust mechanisms. This driver operates at the kernel level, providing the HoneyMyte APT group with deep system control by injecting a backdoor Trojan, specifically a new variant of the ToneShell backdoor. The kernel-mode rootkit protects malicious files, processes, and registry keys from detection and removal by security software. The malware employs multiple evasion techniques, including API obfuscation to hinder analysis, process protection to prevent termination, and registry key protection to maintain persistence. ToneShell communicates with its command-and-control infrastructure using fake TLS headers, disguising its network traffic as legitimate encrypted communications. The backdoor supports remote operations such as file transfers and shell access, enabling attackers to execute arbitrary commands and exfiltrate data. The attacks have been ongoing since February 2025, focusing on government organizations in Southeast and East Asia, particularly Myanmar and Thailand. Indicators of compromise include specific file hashes and malicious domains. Although no CVE or known exploits in the wild have been reported, the advanced nature of the rootkit and the stealthy communication methods indicate a well-resourced and capable adversary. The medium severity rating reflects the targeted scope and complexity of the attack rather than widespread impact.

For European organizations, the direct impact is currently limited due to the geographic focus on Southeast and East Asia. However, the advanced kernel-mode rootkit and stealth techniques used by HoneyMyte demonstrate capabilities that could be adapted or expanded to other regions, including Europe. Government agencies, critical infrastructure, and organizations with strategic ties to Asia or involved in geopolitical matters may become targets. The rootkit’s ability to evade detection and maintain persistence at the kernel level could lead to prolonged unauthorized access, data exfiltration, espionage, and disruption of critical services. The use of compromised digital certificates undermines trust in software supply chains, potentially affecting European entities relying on similar certificates or software vendors. The stealthy communication using fake TLS headers complicates network detection, increasing the risk of unnoticed infiltration. Overall, the threat poses a medium risk to European organizations, particularly those in government, defense, or sectors with geopolitical relevance.

European organizations should implement advanced endpoint detection and response (EDR) solutions capable of detecting kernel-mode rootkits and anomalous driver behavior. Employ strict code signing policies and monitor for the use of compromised or unexpected digital certificates. Conduct regular integrity checks on critical system files, drivers, and registry keys to detect unauthorized modifications. Network monitoring should include deep packet inspection and anomaly detection to identify suspicious TLS traffic patterns, such as fake TLS headers used by ToneShell. Implement strict network segmentation and least privilege principles to limit lateral movement if a system is compromised. Maintain up-to-date threat intelligence feeds to recognize indicators of compromise related to HoneyMyte, including known file hashes and malicious domains. Conduct regular security awareness training focused on targeted phishing or social engineering tactics that may deliver such malware. Finally, establish incident response plans that include kernel-level malware removal procedures and forensic analysis capabilities.