Dec 30, 2026Ravie LakshmananMalware / Cyber Espionage
The Chinese language hacking group generally known as Mustang Panda has leveraged a beforehand undocumented kernel-mode rootkit driver to ship a brand new variant of backdoor dubbed TONESHELL in a cyber assault detected in mid-2025 focusing on an unspecified entity in Asia.
The findings come from Kaspersky, which noticed the brand new backdoor variant in cyber espionage campaigns mounted by the hacking group focusing on authorities organizations in Southeast and East Asia, primarily Myanmar and Thailand.
“The motive force file is signed with an outdated, stolen, or leaked digital certificates and registers as a minifilter driver on contaminated machines,” the Russian cybersecurity firm mentioned. “Its end-goal is to inject a backdoor trojan into the system processes and supply safety for malicious information, user-mode processes, and registry keys.”
The ultimate payload deployed as a part of the assault is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts. The usage of TONESHELL has been attributed to Mustang Panda since not less than late 2022.
As not too long ago as September 2025, the risk actor was linked to assaults focusing on Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that makes use of detachable gadgets as a distribution vector for a backdoor known as Yokai.
The command-and-control (C2) infrastructure used for TONESHELL is alleged to have been erected in September 2024, though there are indications that the marketing campaign itself didn’t begin till February 2025. The precise preliminary entry pathway used within the assault shouldn’t be clear. It is suspected that the attackers abused beforehand compromised machines to deploy the malicious driver.
The motive force file (“ProjectConfiguration.sys”) is signed with a digital certificates from Guangzhou Kingteller Expertise Co., Ltd, a Chinese language firm that is concerned within the distribution and provisioning of automated teller machines (ATMs). The certificates was legitimate from August 2012 to 2015.
On condition that there are different unrelated malicious artifacts signed with the identical digital certificates, it is assessed that the risk actors seemingly leveraged a leaked or stolen certificates to comprehend their targets. The malicious driver comes fitted with two user-mode shellcodes which can be embedded into the .information part of the binary. They’re executed as separate user-mode threads.
“The rootkit performance protects each the motive force’s personal module and the user-mode processes into which the backdoor code is injected, stopping entry by any course of on the system,” Kaspersky mentioned.
The motive force has the next set of options –
Resolve required kernel APIs dynamically at runtime by utilizing a hashing algorithm to match the required API addresses
Monitor file-delete and file-rename operations to forestall itself from being eliminated or renamed
Deny makes an attempt to create or open Registry keys that match in opposition to a protected listing by organising a RegistryCallback routine and guaranteeing that it operates at an altitude of 330024 or larger
Intrude with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, and alter it to zero (it has a default worth of 328010), thereby stopping it from loaded into the I/O stack
Intercept process-related operations and deny entry if the motion targets any course of that is on a listing of protected course of IDs when they’re working
Take away rootkit safety for these processes as soon as execution completes
“Microsoft designates the 320000–329999 altitude vary for the FSFilter Anti-Virus Load Order Group,” Kaspersky defined. “The malware’s chosen altitude exceeds this vary. Since filters with decrease altitudes sit deeper within the I/O stack, the malicious driver intercepts file operations earlier than reputable low-altitude filters like antivirus elements, permitting it to avoid safety checks.”
The motive force is finally designed to drop two user-mode payloads, considered one of which spawns an “svchost.exe” course of and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that is injected into that very same “svchost.exe” course of.
As soon as launched, the backdoor establishes contact with a C2 server (“avocadomechanism[.]com” or “potherbreference[.]com”) over TCP on port 443, utilizing the communication channel to obtain instructions that enable it to –
Create non permanent file for incoming information (0x1)
Obtain file (0x2 / 0x3)
Cancel obtain (0x4)
Set up distant shell by way of pipe (0x7)
Obtain operator command (0x8)
Terminate shell (0x9)
Add file (0xA / 0xB)
Cancel add (0xC), and
Shut connection (0xD)
The event marks the primary time TONSHELL has been delivered by a kernel-mode loader, successfully permitting it to hide its exercise from safety instruments. The findings point out that the motive force is the newest addition to a bigger, evolving toolset utilized by Mustang Panda to keep up persistence and conceal its backdoor.
Reminiscence forensics is vital to analyzing the brand new TONESHELL infections, because the shellcode executes totally in reminiscence, Kaspersky mentioned, noting that detecting the injected shellcode is an important indicator of the backdoor’s presence on compromised hosts.
“HoneyMyte’s 2025 operations present a noticeable evolution towards utilizing kernel-mode injectors to deploy ToneShell, enhancing each stealth and resilience,” the corporate concluded.
“To additional conceal its exercise, the motive force first deploys a small user-mode element that handles the ultimate injection step. It additionally makes use of a number of obfuscation methods, callback routines, and notification mechanisms to cover its API utilization and monitor course of and registry exercise, finally strengthening the backdoor’s defenses.”
