Ethical Hacking News
Chinese state hackers have been found using a rootkit to hide their malicious activity related to the ToneShell malware, marking a significant escalation of cyber threats. The use of a kernel-mode loader provides the attackers with enhanced protection from detection by security tools and allows them to maintain operational stealth and resilience.
Chinese state hackers are using a rootkit to hide malicious activity related to ToneShell malware.The mini-filter driver ProjectConfiguration.sys is being used to deliver the malicious payload, providing protection from detection by security software.The rootkit is part of a larger backdoor known as ToneShell, associated with Chinese state-sponsored cyber espionage groups.Key features of this new variant include use of a kernel-mode loader and evasion techniques like fake TLS headers.Kaspersky has identified several instances of ToneShell malware being delivered through this new vector, including attacks in Myanmar and Thailand.The use of a kernel-mode loader represents a significant shift in tactics, techniques, and procedures (TTPs) used by Chinese state hackers.Kaspersky advises that memory forensics is key in uncovering ToneShell infections backed by the new kernel-mode injector.
In a significant escalation of cyber threats, Chinese state hackers have been found using a rootkit to hide their malicious activity related to the ToneShell malware. This new attack vector marks a departure from traditional methods used by state-sponsored actors in the past and highlights the evolving nature of modern cyber espionage campaigns.
According to recent intelligence gathered by Kaspersky, a leading cybersecurity firm, the hackers have been employing a mini-filter driver named ProjectConfiguration.sys to deliver the malicious payload. This driver is loaded into the Windows kernel mode, providing the attackers with significant protection from detection by security software and other security tools.
The rootkit used in these campaigns has been identified as part of a larger backdoor known as ToneShell, which is commonly associated with Chinese state-sponsored cyber espionage groups. The malware has been linked to various attacks against government agencies, NGOs, think tanks, and high-profile organizations worldwide.
One of the key features of this new variant of ToneShell is its use of a kernel-mode loader. This approach provides the attackers with enhanced protection from user-mode monitoring and allows them to remain undetected by security tools that rely on traditional methods for detecting malicious activity.
In addition to its use of a rootkit, the malware also employs various techniques to evade static analysis and improve its stealth capabilities. These include using fake TLS headers to obfuscate network traffic and applying a new host identification scheme based on a 4-byte host ID market instead of the 16-byte GUID used in previous variants.
The researchers at Kaspersky have analyzed several instances of ToneShell malware being delivered through this new vector, including an attack campaign against government organizations in Myanmar and Thailand. In these cases, the attackers had previously infected their targets with older versions of the ToneShell malware or other malicious payloads such as PlugX malware or the ToneDisk USB worm.
The use of a kernel-mode loader by Chinese state hackers to deliver the ToneShell malware represents a significant shift in the tactics, techniques, and procedures (TTPs) used by these actors. This approach allows them to maintain operational stealth and resilience, making it more challenging for security tools and analysts to detect their activities.
To stay ahead of this new threat vector, Kaspersky advises that memory forensics is key in uncovering ToneShell infections backed by the new kernel-mode injector. The cybersecurity firm has also provided a list of indicators of compromise (IoCs) to help organizations detect Mustang Panda intrusions and defend against them.
The incident highlights the importance of staying vigilant in today's digital landscape, where state-sponsored actors continue to adapt and evolve their tactics to evade detection. As cyber threats continue to escalate, it is essential for security professionals and organizations to remain proactive in monitoring for new attack vectors and developing effective countermeasures to mitigate the impact of these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Attack-Vector-Chinese-State-Hackers-Use-Rootkit-to-Hide-ToneShell-Malware-Activity-ehn.shtml
Published: Mon Dec 29 18:19:58 2025 by llama3.2 3B Q4_K_M
