Cybersecurity

Mustang Panda Uses Signed Kernel-mode Rootkit To Load Toneshell...

2025-12-30 0 views admin
Mustang Panda Uses Signed Kernel-mode Rootkit To Load Toneshell...

The Chinese hacking group known as Mustang Panda has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia.

The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand.

"The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines," the Russian cybersecurity company said. "Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys."

The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022.

As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai.

The command-and-control (C2) infrastructure used for TONESHELL is said to have been erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear. It's suspected that the attackers abused previously compromised machines to deploy the malicious driver.

The driver file ("ProjectConfiguration.sys") is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd, a Chinese company that's involved in the distribution and provisioning of automated teller machines (ATMs). The certificate was valid from August 2012 to 2015.

Given that there are other unrelated malicious artifacts signed with the same digital certificate, it's assessed that the threat actors likely leveraged a leaked or stolen certificate to realize their goals. The malicious driver comes fitted with two user-mode shellcodes that are embedded into the .data section of the binary. They are executed as separate user-mode threads.

"The rootkit functionality protects both the driver's own module and the user-mode processes into which the backdoor code is injected, pr

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackmalwareattack

More from Cybersecurity

Critical How To Integrate AI Into Modern SOC Workflows

Critical How To Integrate AI Into Modern SOC Workflows

2025-12-30 0
Chinese State Hackers Use Rootkit To Hide Toneshell Malware Activity

Chinese State Hackers Use Rootkit To Hide Toneshell Malware Activity

2025-12-30 0
Coupang To Split $1.17 Billion Among 33.7 Million Data Breach Victims

Coupang To Split $1.17 Billion Among 33.7 Million Data Breach Victims

2025-12-29 0
Hacker Arrested For Kmsauto Malware Campaign With 2.8 Million...

Hacker Arrested For Kmsauto Malware Campaign With 2.8 Million...

2025-12-29 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views