The Chinese hacking group known as Mustang Panda has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of a backdoor dubbed TONESHELL in a cyberattack detected in mid-2025 against an unspecified entity in Asia.
These findings come from Kaspersky, which observed the new backdoor variant during cyber espionage campaigns conducted by the group against government organizations in Southeast and East Asia, with Myanmar and Thailand as the primary targets.
“The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines,” the Russian cybersecurity company said. “Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys.”
TONESHELL’s Role in Mustang Panda’s Espionage Operations
The attack ultimately deploys TONESHELL, an implant that offers reverse shell and downloader capabilities and allows attackers to fetch additional malware onto compromised hosts. Researchers have attributed the use of TONESHELL to Mustang Panda since at least late 2022.
More recently, in September 2025, analysts linked the threat actor to attacks against Thai entities that combined TONESHELL with a USB worm called TONEDISK (also known as WispRider). That worm relies on removable media to distribute a backdoor referred to as Yokai.
Meanwhile, researchers determined that the command-and-control (C2) infrastructure supporting TONESHELL went live in September 2024. However, evidence suggests that the campaign itself did not begin until February 2025. Investigators have not yet identified the exact initial access vector, although they suspect the attackers abused previously compromised machines to deploy the malicious driver.
Abuse of a Legitimate Digital Certificate
The driver file, named “ProjectConfiguration.sys,” carries a digital signature tied to Guangzhou Kingteller Technology Co., Ltd, a Chinese company involved in the distribution and provisioning of automated teller machines (ATMs). The certificate remained valid between August 2012 and 2015.
Because other unrelated malicious artifacts also carry signatures from the same certificate, analysts assess that the threat actors likely relied on a leaked or stolen certificate to carry out the operation. The malicious driver includes two user-mode shellcodes embedded in the .data section of the binary, and it executes them as separate user-mode threads.
“The rootkit functionality protects both the driver’s own module and the user-mode processes into which the backdoor code is injected, preventing access by any process on the system,” Kaspersky said.
Rootkit Capabilities and Defensive Evasion
The driver supports the following capabilities:
- Resolve required kernel APIs dynamically at runtime using a hashing algorithm to match API addresses
- Monitor file deletion and file renaming attempts to prevent removal or renaming
- Block attempts to create or open protected Registry keys by registering a
RegistryCallbackroutine that operates at an altitude of 330024 or higher - Interfere with the altitude assigned to
WdFilter.sys, a Microsoft Defender driver, by changing it to zero (from its default value of 328010), which prevents it from loading into the I/O stack - Intercept process-related operations and deny access when an action targets protected process IDs during execution
- Remove rootkit protection from those processes after execution completes
“Microsoft designates the 320000–329999 altitude range for the FSFilter Anti-Virus Load Order Group,” Kaspersky explained. “The malware’s chosen altitude exceeds this range. Since filters with lower altitudes sit deeper in the I/O stack, the malicious driver intercepts file operations before legitimate low-altitude filters like antivirus components, allowing it to circumvent security checks.”
Payload Deployment and C2 Communication
Ultimately, the driver drops two user-mode payloads. First, one payload spawns an svchost.exe process and injects a small shellcode specifically designed to introduce execution delays. Then, in the final stage, the second payload injects the TONESHELL backdoor into that same svchost.exe process.
After launch, the backdoor connects to a C2 server—either “avocadomechanism[.]com” or “potherbreference[.]com”—over TCP port 443. Through this channel, the malware accepts commands that allow operators to:
- Create a temporary file for incoming data (0x1)
- Download files (0x2 / 0x3)
- Cancel downloads (0x4)
- Establish a remote shell via pipe (0x7)
- Receive operator commands (0x8)
- Terminate the shell (0x9)
- Upload files (0xA / 0xB)
- Cancel uploads (0xC)
- Close the connection (0xD)
A Shift Toward Kernel-Mode Delivery
This development marks the first confirmed instance in which Mustang Panda has delivered TONESHELL through a kernel-mode loader, a shift that allows the malware to better conceal its activity from security tools. The findings indicate that the driver represents the latest addition to a broader and evolving toolset that Mustang Panda uses to maintain persistence and obscure its backdoor operations.
According to Kaspersky, memory forensics plays a critical role in analyzing these new TONESHELL infections, because the shellcode executes entirely in memory. Detecting injected shellcode therefore serves as a key indicator of compromise.
“HoneyMyte’s 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy TONESHELL, improving both stealth and resilience,” the company concluded.
“To further conceal its activity, the driver first deploys a small user-mode component that handles the final injection step. It also uses multiple obfuscation techniques, callback routines, and notification mechanisms to hide its API usage and track process and registry activity, ultimately strengthening the backdoor’s defenses.”
Source: TheHackerNews
Read more at Impreza News
