Chinese State Hackers Use Rootkit To Hide Toneshell Malware Activity

A new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations.

The backdoor has been attributed to the Mustang Panda group, also known as HoneyMyte or Bronze President, that usually targets government agencies, NGOs, think tanks, and other high-profile organizations worldwide.

Security researchers at Kaspersky analyzed a malicious file driver found on computer systems in Asia and discovered that it has been used in campaigns since at least February 2025 against government organizations in Myanmar, Thailand, and other Asian countries.

Evidence showed that the compromised entities had prior infections with older ToneShell variants, PlugX malware, or the ToneDisk USB worm, also attributed to state-sponsored Chinese hackers.

According to Kaspersky, the new ToneShell backdoor was deployed by a mini-filter driver named ProjectConfiguration.sys and signed with a stolen or leaked certificate valid between 2012 and 2015 and issued to Guangzhou Kingteller Technology Co., Ltd.

Mini-filters are kernel-mode drivers that plug into the Windows file-system I/O stack and can inspect, modify, or block file operations. Security software, encryption tools, and backup utilities typically use them.

ProjectConfiguration.sys embeds two user-mode shellcodes in its .data section, each executed as a separate user-mode thread to be injected into user-mode processes.

To evade static analysis, the driver resolves required kernel APIs at runtime by enumerating loaded kernel modules and matching function hashes, rather than importing functions directly.

It registers as a mini-filter driver and intercepts file-system operations related to deletion and renaming. When such operations target the driver itself, they are blocked by forcing the request to fail.

The driver also protects its service-related registry keys by registering a registry callback and denying attempts to create or open them. To ensure priority over security products, it selects a mini-filter altitude above the antivirus-reserved range.

Source: BleepingComputer