top of page
perceptive_background_267k.jpg

Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoor

Published:

30 december 2025 om 08:35:00

Alert date:

30 december 2025 om 09:02:13

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Data Breach & Exfiltration

Chinese threat actor Mustang Panda deployed a previously undocumented kernel-mode rootkit driver to deliver a new variant of the TONESHELL backdoor in cyber espionage campaigns targeting entities in Asia during mid-2025. The attack utilized a signed kernel-mode rootkit to evade detection and establish persistent access. Kaspersky researchers identified this new backdoor variant as part of ongoing espionage operations by the advanced persistent threat group. The use of kernel-mode rootkits represents a sophisticated technique for maintaining stealth and persistence on compromised systems. The campaign demonstrates Mustang Panda's continued evolution of tactics and tools for cyber espionage activities.

Technical details

Mustang Panda deployed a signed kernel-mode rootkit driver (ProjectConfiguration.sys) to load TONESHELL backdoor. The driver is signed with a stolen/leaked certificate from Guangzhou Kingteller Technology Co., Ltd (valid 2012-2015). It registers as a minifilter driver, operates at altitude 330024+ to bypass security filters, and injects backdoor code into system processes. The rootkit protects malicious files, processes, and registry keys while interfering with Windows Defender by setting WdFilter.sys altitude to zero. TONESHELL communicates with C2 servers over TCP port 443 and provides reverse shell, file upload/download, and command execution capabilities.

Mitigation steps:

Use memory forensics to analyze TONESHELL infections as shellcode executes entirely in memory. Detect injected shellcode as a crucial indicator of backdoor presence. Monitor for minifilter drivers operating at unusual altitudes (330024+) and check for modifications to WdFilter.sys altitude values. Implement detection for processes protected by unusual registry callback routines and monitor for suspicious certificate usage from Guangzhou Kingteller Technology Co., Ltd.

Affected products:

Windows Operating System
Microsoft Defender
WdFilter.sys

Related links:

https://thehackernews.com/2025/08/unc6384-deploys-plugx-via-captive.html
https://learn.microsoft.com/en-us/Windows-hardware/drivers/ifs/about-file-system-filter-drivers
https://securelist.com/honeymyte-kernel-mode-rootkit/118590/
https://thehackernews.com/2025/09/mustang-panda-deploys-snakedisk-usb.html
https://thehackernews.com/2023/08/hackers-can-exploit-windows-container.html
https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes

Related CVE's:

Related threat actors:

IOC's:

ProjectConfiguration.sys, avocadomechanism[.]com, potherbreference[.]com, svchost.exe

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page