A Chinese hacker group known as Mustang Panda utilized a previously undocumented kernel-mode rootkit driver to deliver a new variant of a backdoor called TONESHELL in a cyberattack detected targeting unspecified organizations in Asia in mid-2025.
The findings, published by Kaspersky Lab, observed new backdoor variants in cyberespionage operations by hacker groups targeting government agencies in Southeast and East Asia, primarily Myanmar and Thailand.
“The driver files are signed with outdated, stolen or leaked digital certificates and are registered as mini-filter drivers on infected machines,” the Russian cybersecurity firm said. “Their end goal is to inject a backdoor Trojan into system processes to protect malicious files, user-mode processes, and registry keys.”
The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader functionality that fetches the next stage of malware onto the compromised host. Use of TONESHELL is believed to be by Mustang Panda since at least late 2022.
As of September 2025, this threat actor was associated with attacks targeting businesses in Thailand with TONESHELL and a USB worm named TONEDISK (also known as WispRider) that used removable devices as a distribution vector for a backdoor called Yokai.
The command and control (C2) infrastructure used for TONESHELL is said to have been built in September 2024, but there are indications that the campaign itself did not begin until February 2025. The exact initial access route used in the attack is not clear. The attackers are suspected of exploiting previously compromised machines to deploy malicious drivers.
The driver file (“ProjectConfiguration.sys”) is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd, a Chinese company involved in the sales and provisioning of automated teller machines (ATMs). The certificate was valid from August 2012 to 2015.
Given the existence of other unrelated malicious artifacts signed with the same digital certificate, we assess that the attacker likely leveraged a leaked or stolen certificate to accomplish their goals. The malicious driver includes two user-mode shellcodes embedded in the .data section of the binary. These run as separate user-mode threads.
“The rootkit functionality protects both the driver’s own modules and the user-mode process where the backdoor code is injected, preventing access by any process on the system,” Kaspersky said.
The driver has the following set of features:
Dynamically resolves the required kernel API at runtime using a hashing algorithm that matches the required API address. Monitors file deletion and file renaming operations to ensure that the file itself is not deleted or renamed. Reject attempts to create or open registry keys that match the protected list by setting the RegistryCallback routine and ensuring it runs at altitude 330024 or higher. WdFilter.sys, the Microsoft Defender driver, and change this to zero (default value is 328010). This prevents it from being loaded onto the I/O stack. Suspends process-related operations and denies access if the action targets a process in the list of running protected process IDs. Once the execution is complete, remove rootkit protection for those processes.
“Microsoft specifies the advanced range for the FSFilter Anti-Virus Load Order Group to be 320000 to 329999,” Kaspersky explained. “The altitude chosen by the malware exceeds this range. Low-altitude filters sit deep in the I/O stack, allowing malicious drivers to intercept file operations and bypass security checks before legitimate low-altitude filters, such as antivirus components.”
The driver is ultimately designed to drop two user-mode payloads, one of which spawns an “svchost.exe” process and injects shellcode that causes a small delay. The second payload is a TONESHELL backdoor that is injected into the same “svchost.exe” process.
Once launched, the backdoor establishes a connection with a C2 server (‘avocadomechanism’).[.]com” or “port reference”[.]com”) over TCP to port 443 and use the communication channel to receive commands that allow you to:
Create temporary file for incoming data (0x1) Download file (0x2 / 0x3) Cancel download (0x4) Establish remote shell via pipe (0x7) Receive operator command (0x8) Exit shell (0x9) Upload file (0xA / 0xB) Cancel upload (0xC), close connection (0xD)
This development marks the first time that TONSHELL is delivered through a kernel-mode loader, effectively hiding its activities from security tools. Our findings indicate that this driver is the latest addition to a larger and evolving set of tools that Mustang Panda uses to maintain persistence and hide backdoors.
Because shellcode runs entirely in memory, memory forensics is key to analyzing new TONESHELL infections, Kaspersky said, noting that detection of injected shellcode is a key indicator of the presence of a backdoor on a compromised host.
“HoneyMyte’s 2025 operations will see a significant evolution in deploying ToneShell using kernel-mode injectors, improving both stealth and resiliency,” the company concludes.
“To further hide its activity, the driver first deploys a small user-mode component that handles the final injection step. It also uses multiple obfuscation techniques, callback routines, and notification mechanisms to hide API usage, track process and registry activity, and ultimately strengthen backdoor defenses.”
Source link
