Chinese state hackers use rootkit to hide ToneShell malware activity

Published:

30 december 2025 om 00:08:42

Alert date:

30 december 2025 om 01:01:49

Source:

bleepingcomputer.com

Operating Systems, Ransomware & Malware, Data Breach & Exfiltration

Chinese state-sponsored hackers are using a new variant of the ToneShell backdoor malware in cyberespionage campaigns targeting government organizations. The malware is being delivered through a sophisticated kernel-mode loader that acts as a rootkit to hide the backdoor's activities from detection systems. This represents an evolution in the ToneShell malware family, which has been previously observed in Chinese espionage operations. The use of kernel-mode techniques demonstrates advanced capabilities and makes detection significantly more challenging for security tools.

Technical details

ToneShell backdoor delivered through kernel-mode loader named ProjectConfiguration.sys, signed with stolen certificate from Guangzhou Kingteller Technology Co., Ltd. (2012-2015). Uses mini-filter driver that intercepts file operations, protects itself from deletion/renaming, modifies WdFilter driver configuration to disable Microsoft Defender, and injects shellcodes into user-mode processes. New variant uses 4-byte host ID instead of 16-byte GUID, applies network traffic obfuscation with fake TLS headers, and supports commands for file operations, remote shell, and data transfer.

Mitigation steps:

Use memory forensics to detect ToneShell infections, monitor for indicators of compromise provided by Kaspersky, implement detection rules for the specific IoCs mentioned in the report

Affected products:

Windows
Microsoft Defender