-
The notorious Mustang Panda group is now using a kernel-mode rootkit to hide their ToneShell backdoor from security software.
-
The loader’s file operations and its ability to block Microsoft Defender protects its payload.
-
There have been multiple instances of government organizations in Thailand, Myanmar, and many other Asian regions having been attacked since February 2025.
An evolution of state-sponsored cyber espionage has manifested; Chinese hackers affiliated with the so-called ‘Mustang Panda’ Group have enhanced their toolkit to include an advanced kernel-mode rootkit. As per a latest report from Kaspersky, the group is now using the kernel-mode rootkit to embed ToneShell (their backdoor) deep in compromised systems.
This isn’t just another malware update. It’s a fundamental shift in how these attackers operate. The new delivery method makes detection exponentially harder, amplifying the challenge for defenders even as major technology companies escalate their own countermeasures, including litigation against state-sponsored groups.
Rootkit Runs Deep within the System
Kaspersky Lab’s security research team identified the malicious file driver during their investigation of infected computers across Asia. According to the report from Kaspersky, these attacks date back to February 2025, with the most victims being government entities within Thailand, Myanmar, as well as other Asian jurisdictions.
The ToneShell backdoor has remained closely linked to the Mustang Panda threat team, also called Bronze President or HoneyMyte. This group is a minority-owned company that focuses primarily on cyber espionage against high-value targets. Most of their known victims are government entities, non-governmental organizations (NGOs), think tanks, and other well-known international organizations.
The degree of sophistication surrounding the delivery method of this campaign is concerning. Attackers deliver the recent ToneShell backdoor using a mini-filter driver named ProjectConfiguration.sys, digitally signed with a valid certificate that was either stolen or mistakenly issued. The certificate, originally issued to Guangzhou Kingteller Technology Co., Ltd., remained valid from 2012 through 2015.
Mini-filter drivers are kernel-mode drivers that interact directly with the Windows I/O Stack as kernel drivers. Therefore, they can intercept all file-related operations, enabling them to view, modify or delete anything they wish from the operating system. Legitimate security software, encryption tools, and backup utilities commonly use them. But in the wrong hands, they become incredibly powerful attack tools.
ProjectConfiguration.sys embeds two user-mode shellcodes in its data segments. Each runs as an individual user-mode string and injects itself into user-mode processes. The driver cleverly evades static analysis by resolving required kernel APIs at runtime. Instead of importing functions directly, it enumerates loaded kernel modules and matches function hashes.
Once active, the driver registers as a mini-filter and intercepts file-system operations related to deletion and renaming. When attackers target the driver itself, the system blocks the operation and forces the request to fail.
The rootkit also protects its service-related registry keys by registering a registry callback. Any attempts to create or open them get denied outright. To ensure it operates above security products, the driver selects a mini-filter level above the antivirus-reticent zone.
Perhaps most alarming is how it interferes with Microsoft Defender. The rootkit modifies the WdFilter driver configuration so it won’t load into the I/O stack.
To shield its injected payloads, the driver maintains a list of protected process IDs. It denies handling access to those processes while the payloads execute, then eradicates protection as soon as execution finishes.
Kaspersky researchers explained that it’s their first time witnessing ToneShell transmitted via a kernel-mode load. The rootkit driver protects it from user-mode tracking and hides its actions from security programs.
Enhanced Backdoor With New Capabilities
The recent ToneShell variant comes with significant changes and stealth enhancements. The malware now uses a new host identification scheme based on a 4-byte host ID marker instead of the previous 16-byte GUID. It also applies network traffic obfuscation using counterfeit TLS headers.
The backdoor supports an expanded set of remote operations. Attackers can create temporary files for incoming data, download and upload files, establish remote shells via pipes, receive and execute operator commands, and terminate connections. Such stolen data often fuels the global identity fraud market, as seen in massive dark web dumps of sensitive documents like U.S. driver licenses. These capabilities give the hackers complete control over compromised systems.
Evidence from the jeopardized entities depicted prior infections with PlugX malware, older ToneShell versions, or the ToneDisk USB worm. Analysts have attributed these tools to state-sponsored Chinese hackers.
Kaspersky admonishes that memory analysis is now ideal to detect ToneShell infestations supported by this new kernel-mode injector. The researchers have high confidence in attributing this new sample to Mustang Panda.
