The Chinese language hacking group generally known as Mustang Panda has leveraged a beforehand undocumented kernel-mode rootkit driver to ship a brand new variant of backdoor dubbed TONESHELL in a cyber assault detected in mid-2025 focusing on an unspecified entity in Asia.
The findings come from Kaspersky, which noticed the brand new backdoor variant in cyber espionage campaigns mounted by the hacking group focusing on authorities organizations in Southeast and East Asia, primarily Myanmar and Thailand.
“The motive force file is signed with an previous, stolen, or leaked digital certificates and registers as a minifilter driver on contaminated machines,” the Russian cybersecurity firm mentioned. “Its end-goal is to inject a backdoor trojan into the system processes and supply safety for malicious recordsdata, user-mode processes, and registry keys.”
The ultimate payload deployed as a part of the assault is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts. The usage of TONESHELL has been attributed to Mustang Panda since a minimum of late 2022.
As not too long ago as September 2025, the menace actor was linked to assaults focusing on Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that makes use of detachable units as a distribution vector for a backdoor known as Yokai.
The command-and-control (C2) infrastructure used for TONESHELL is alleged to have been erected in September 2024, though there are indications that the marketing campaign itself didn’t begin till February 2025. The precise preliminary entry pathway used within the assault just isn’t clear. It is suspected that the attackers abused beforehand compromised machines to deploy the malicious driver.
The motive force file (“ProjectConfiguration.sys”) is signed with a digital certificates from Guangzhou Kingteller Know-how Co., Ltd, a Chinese language firm that is concerned within the distribution and provisioning of automated teller machines (ATMs). The certificates was legitimate from August 2012 to 2015.
Provided that there are different unrelated malicious artifacts signed with the identical digital certificates, it is assessed that the menace actors probably leveraged a leaked or stolen certificates to appreciate their targets. The malicious driver comes fitted with two user-mode shellcodes which are embedded into the .information part of the binary. They’re executed as separate user-mode threads.
“The rootkit performance protects each the motive force’s personal module and the user-mode processes into which the backdoor code is injected, stopping entry by any course of on the system,” Kaspersky mentioned.
The motive force has the next set of options –
- Resolve required kernel APIs dynamically at runtime by utilizing a hashing algorithm to match the required API addresses
- Monitor file-delete and file-rename operations to forestall itself from being eliminated or renamed
- Deny makes an attempt to create or open Registry keys that match towards a protected record by organising a RegistryCallback routine and making certain that it operates at an altitude of 330024 or larger
- Intervene with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, and alter it to zero (it has a default worth of 328010), thereby stopping it from being loaded into the I/O stack
- Intercept process-related operations and deny entry if the motion targets any course of that is on an inventory of protected course of IDs when they’re operating
- Take away rootkit safety for these processes as soon as execution completes
“Microsoft designates the 320000–329999 altitude vary for the FSFilter Anti-Virus Load Order Group,” Kaspersky defined. “The malware’s chosen altitude exceeds this vary. Since filters with decrease altitudes sit deeper within the I/O stack, the malicious driver intercepts file operations earlier than authentic low-altitude filters like antivirus parts, permitting it to bypass safety checks.”
The motive force is in the end designed to drop two user-mode payloads, one in all which spawns an “svchost.exe” course of and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that is injected into that very same “svchost.exe” course of.
As soon as launched, the backdoor establishes contact with a C2 server (“avocadomechanism[.]com” or “potherbreference[.]com”) over TCP on port 443, utilizing the communication channel to obtain instructions that permit it to –
- Create non permanent file for incoming information (0x1)
- Obtain file (0x2 / 0x3)
- Cancel obtain (0x4)
- Set up distant shell through pipe (0x7)
- Obtain operator command (0x8)
- Terminate shell (0x9)
- Add file (0xA / 0xB)
- Cancel add (0xC), and
- Shut connection (0xD)
The event marks the primary time TONSHELL has been delivered via a kernel-mode loader, successfully permitting it to hide its exercise from safety instruments. The findings point out that the motive force is the newest addition to a bigger, evolving toolset utilized by Mustang Panda to keep up persistence and conceal its backdoor.
Reminiscence forensics is essential to analyzing the brand new TONESHELL infections, because the shellcode executes completely in reminiscence, Kaspersky mentioned, noting that detecting the injected shellcode is an important indicator of the backdoor’s presence on compromised hosts.
“HoneyMyte’s 2025 operations present a noticeable evolution towards utilizing kernel-mode injectors to deploy TONESHELL, enhancing each stealth and resilience,” the corporate concluded.
“To additional conceal its exercise, the motive force first deploys a small user-mode element that handles the ultimate injection step. It additionally makes use of a number of obfuscation methods, callback routines, and notification mechanisms to cover its API utilization and observe course of and registry exercise, in the end strengthening the backdoor’s defenses.”
