The Chinese hacking group Mustang Panda has utilized a previously undocumented kernel-mode rootkit driver to deploy a new backdoor variant named TONESHELL. This operation was detected in mid-2025 and targeted an undisclosed entity in Asia, particularly focusing on government organizations in Myanmar and Thailand, according to findings from Kaspersky.
The malicious driver, which appears to be signed with an old or leaked digital certificate, registers as a minifilter driver on infected systems. Its primary objective is to inject the TONESHELL backdoor into system processes while safeguarding malicious files, user-mode processes, and registry keys.
TONESHELL is capable of establishing a reverse shell and downloading additional malware onto compromised systems. The group has been linked to using TONESHELL since at least late 2022, with recent instances of its deployment noted in attacks targeting Thai organizations alongside a USB worm called TONEDISK. This USB worm uses removable devices to spread the backdoor known as Yokai.
Evidence suggests that the command-and-control (C2) infrastructure for TONESHELL was set up in September 2024, but the actual attacks commenced around February 2025. Although the specific initial access method remains unclear, it is suspected that Mustang Panda exploited previously compromised machines to deploy the driver.
The malicious driver ("ProjectConfiguration.sys") is signed with a digital certificate from a Chinese firm that specializes in ATM provisioning and distribution. This certificate, which was valid from August 2012 to 2015, likely indicates that the threat actors used a stolen or leaked certificate to carry out their operations. The driver contains user-mode shellcodes that execute in separate threads.
The features of this rootkit include dynamically resolving necessary kernel APIs, monitoring file operations to prevent its deletion, and obstructing access to protected registry keys and processes. It also alters the altitude assigned to key system drivers like Microsoft Defender’s, thereby allowing the malicious driver to intercept file operations before legitimate security filters can act.
Ultimately, the driver drops two user-mode payloads; one triggers a "svchost.exe" process and injects a delay-inducing shellcode, while the second is the TONESHELL backdoor. Once active, this backdoor communicates with its C2 server over TCP, receiving and executing various commands, including file uploads, downloads, and remote shell establishment.
This development marks a significant evolution in how TONESHELL is delivered, showcasing the use of kernel-mode loaders to enhance stealth and prolong persistence within compromised environments. Kaspersky emphasizes that memory forensics will be critical for detecting these new TONESHELL infections, as the shellcode operates entirely in memory, making traditional detection methods less effective.
The ongoing operations by Mustang Panda illustrate a sophisticated development in cyber espionage tactics, showing a notable shift toward utilizing kernel-mode injectors for enhanced concealment and resilience against detection.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.