The HoneyMyte APT now protects malware with a kernel-mode rootkit
In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.
Indicators of Compromise
- hash: 36f121046192b7cac3e4bec491e8f1b5
- hash: abe44ad128f765c14d895ee1c8bad777
- hash: fe091e41ba6450bcf6a61a2023fe6c83
- domain: avocadomechanism.com
- domain: potherbreference.com
The HoneyMyte APT now protects malware with a kernel-mode rootkit
Description
In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/honeymyte-kernel-mode-rootkit/118590/"]
- Adversary
- HoneyMyte
- Pulse Id
- 69528092ee9eed9c6d16d25d
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash36f121046192b7cac3e4bec491e8f1b5 | — | |
hashabe44ad128f765c14d895ee1c8bad777 | — | |
hashfe091e41ba6450bcf6a61a2023fe6c83 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainavocadomechanism.com | — | |
domainpotherbreference.com | — |
Threat ID: 6952873c71a94549f11d4a99
Added to database: 12/29/2025, 1:50:52 PM
Last updated: 12/29/2025, 2:57:34 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Infostealer Malware Delivered in EmEditor Supply Chain Attack
MediumEvasive Panda cyberespionage campaign uses DNS poisoning to install MgBot backdoor
MediumThreatFox IOCs for 2025-12-28
MediumThreatFox IOCs for 2025-12-27
MediumThreatFox IOCs for 2025-12-26
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.