Today's cybersecurity headlines are brought to you by ThreatPerspective

The Shadowy World of Cyber Espionage: Unveiling the Mustang Panda Threat

A new variant of backdoor dubbed TONESHELL has been discovered in a cyber attack attributed to the Chinese hacking group Mustang Panda. The driver, signed with an old digital certificate, leverages kernel-mode rootkit technology to evade traditional security measures and provide unparalleled protection for malicious files.

The threat poses significant concerns for organizations and individuals targeted by the group, highlighting the need for robust security measures and vigilance in the face of evolving cyber threats. Stay informed about the latest developments and learn how to protect yourself against this new threat.

As the world grapples with the ever-evolving landscape of cyber threats, a Chinese hacking group known as Mustang Panda has emerged as a formidable player in the shadows. According to recent findings by Kaspersky, this group has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia.

The use of TONESHELL marks a significant escalation in the tactics employed by Mustang Panda, a group notorious for its sophisticated and stealthy attacks on government organizations and high-value targets. The new variant of backdoor is believed to have been designed specifically to evade traditional security measures and provide unparalleled protection for malicious files, user-mode processes, and registry keys.

The driver file in question, "ProjectConfiguration.sys," is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd, a Chinese company involved in the distribution and provisioning of automated teller machines (ATMs). The certificate was valid from August 2012 to 2015, indicating that the threat actors likely leveraged a leaked or stolen certificate to realize their goals.

Further analysis by Kaspersky reveals that the driver comes equipped with an array of features designed to enhance its stealth and effectiveness. These include dynamic resolution of required kernel APIs at runtime using hashing algorithms, monitoring file-delete and file-rename operations to prevent itself from being removed or renamed, and interfering with the altitude assigned to WdFilter.sys, a Microsoft Defender driver.

Moreover, the driver intercepts process-related operations and denies access if the action targets any process that's on a list of protected process IDs when they are running. This allows the malware to circumvent security checks and establish a strong foothold on compromised hosts.

The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022.

It's worth noting that the command-and-control (C2) infrastructure used for TONESHELL was erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear, but it's suspected that the attackers abused previously compromised machines to deploy the malicious driver.

Memory forensics plays a crucial role in analyzing new TONESHELL infections, as the shellcode executes entirely in memory. Detecting the injected shellcode is a key indicator of the backdoor's presence on compromised hosts.

HoneyMyte's 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy ToneShell, improving both stealth and resilience. The development marks the first time TONESHELL has been delivered through a kernel-mode loader, effectively allowing it to conceal its activity from security tools.

Furthermore, Kaspersky observed that the driver uses multiple obfuscation techniques, callback routines, and notification mechanisms to hide its API usage and track process and registry activity. This strengthens the backdoor's defenses, making it an even more formidable threat in the world of cyber espionage.

The emergence of TONESHELL highlights the evolving nature of cyber threats and the need for robust security measures to counter these new tactics. As the landscape continues to shift, it's essential for organizations and individuals alike to stay vigilant and adapt their defenses to remain ahead of the threat curve.