HoneyMyte APT Adopts Kernel-Mode Rootkit to Stealthily Deploy ToneShell Backdoor
Kaspersky has identified a new HoneyMyte APT campaign that marks a significant escalation in technical sophistication, centered on the use of a kernel-mode mini-filter driver to deploy and protect malware. The malicious driver, signed with a long-expired but valid stolen certificate, installs as ProjectConfiguration[.]sys and functions as a rootkit, blocking file, registry, and process access to shield attacker components from security tools. Its primary purpose is to inject a refreshed variant of the ToneShell backdoor into high-privilege system processes while evading user-mode detection mechanisms. The campaign appears tightly targeted at government organizations in Southeast and East Asia, with Myanmar and Thailand most affected, and telemetry indicates activity beginning around February 2025. Nearly all victims had evidence of prior HoneyMyte infections, suggesting the actor leveraged long-term footholds rather than new initial access vectors. This reflects a maturation toward layered persistence and defense evasion rather than opportunistic compromise. The kernel driver embeds user-mode shellcode, dynamically resolves kernel APIs, interferes with Microsoft Defender loading, and selectively denies access to protected processes and registry keys, allowing ToneShell to execute covertly in memory. The new ToneShell variant introduces changes in host identification and network communication, disguising command-and-control traffic with fake TLS headers while supporting full remote access, file transfer, and shell capabilities over raw TCP. Delivery via a kernel-mode loader represents a first for ToneShell and provides resilience against traditional endpoint monitoring, making memory-based detection essential. Command-and-control infrastructure registered in late 2024 and long-lived MgBot-style tradecraft further reinforce attribution to HoneyMyte. To reduce risk, organizations should prioritize kernel-driver monitoring, certificate trust hygiene, memory forensics, and rapid response to signs of prior HoneyMyte tooling, as early detection and removal of legacy footholds is critical to preventing this new rootkit-enabled persistence model.
Connected Agents Introduce a Silent Privilege-Escalation Path in Microsoft Copilot Studio
Researchers at Zenity found that Microsoft Copilot Studio’s new Connected Agents feature creates a high-risk trust boundary collapse between AI agents by allowing them to directly invoke each other’s tools, knowledge, and topics with minimal visibility or control. Enabled by default, the feature allows any agent in the same environment to reuse privileged capabilities, such as email sending, data access, or external integrations, effectively turning shared agents into reusable backends. Critically, Copilot Studio provides no native way to identify which agents are connected to a given agent, and invocations leave no audit trail in the agent being called's activity logs. This design obscures lateral agent-to-agent abuse and prevents defenders from detecting misuse through standard platform telemetry. As a result, Connected Agents function as an invisible orchestration layer where sensitive actions can be triggered indirectly without accountability. The lack of native logging and discovery significantly weakens post-incident investigation and governance. Security researchers demonstrated that a malicious or rogue agent can abuse this feature to hijack trusted, business-critical agents, such as those capable of sending emails from official corporate mailboxes. In a realistic scenario, an attacker or insider with tenant access can connect a malicious agent to a legitimate support agent and silently invoke its email-sending tool to conduct phishing, misinformation, or spam campaigns that appear to originate from the organization. Because Connected Agent calls do not surface in the invoked agent’s logs, abuse may only be visible on the calling agent, if at all, leaving defenders blind to the true execution path. If such a privileged agent is also exposed to unauthenticated users or automated workflows, the blast radius extends to the public internet. To reduce risk, organizations should treat Connected Agents as a high-risk integration surface by disabling it for sensitive agents, enforcing tool-level authentication, restricting agent creation and sharing, and implementing independent monitoring to track inter-agent invocation paths before this feature becomes an implicit backdoor into trusted AI capabilities within Microsoft Copilot Studio.
EmEditor Supply Chain Attack Delivers Multi-Stage Infostealer via Trojanzed Installers
Researchers found that between December 19 and 22, 2025, the official EmEditor website was compromised in a supply chain attack that replaced legitimate MSI installers with malicious versions signed using a fraudulent certificate attributed to “WALSHAM INVESTMENTS LIMITED.” The tampered installers delivered a PowerShell-based infostealer that disabled logging, collected detailed system information, and encrypted stolen data before exfiltrating it to attacker-controlled infrastructure. Given EmEditor’s widespread adoption among developers, operations staff, and other technical users in China, the attack significantly increased the risk of exposure of sensitive enterprise and government data. Analysis confirmed that the malware harvested files from common user directories, stole VPN configurations, Windows credentials, and browser data, and compromised credentials across a wide range of collaboration and communication platforms. The payload also captured screenshots and compressed all collected data into encrypted archives for transmission. Built-in geofencing logic terminated execution on systems using languages associated with certain regions, suggesting deliberate targeting discipline by the operators. Beyond the initial infostealer, the attack established persistence by installing a malicious browser extension disguised as “Google Drive Caching,” which functioned as a full-featured information-stealing and remote-control implant. This extension harvested extensive browser and system telemetry, implemented keylogging and cryptocurrency clipboard hijacking, and supported a wide range of remote commands, including screenshot capture, file access, proxy setup, and arbitrary JavaScript execution. Security vendors confirmed that users who installed EmEditor via the built-in updater, official direct download endpoints, or portable/store versions were not affected, while enterprise detection engines are already capable of identifying the malicious installers. Organizations are advised to immediately identify and isolate potentially affected systems, rotate credentials, enable multi-factor authentication, and review browser extensions and outbound network activity for signs of compromise stemming from this supply chain incident.
