Full Report
The Chinese hacking group known as Mustang Panda has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting
Analysis Summary
# Threat Actor: Mustang Panda
## Attribution & Identity
**Identification:** Chinese hacking group known as Mustang Panda.
**Aliases/Associations:** None explicitly mentioned in the provided text beyond its association with cyber espionage campaigns.
## Activity Summary
Mustang Panda was observed in a cyber attack in **mid-2025** leveraging a previously undocumented kernel-mode rootkit driver to deploy a new backdoor variant called **TONESHELL**. This activity was part of ongoing cyber espionage campaigns. The actor was also recently linked (September 2025) to attacks targeting Thai entities using TONESHELL alongside a USB worm named TONEDISK (aka WispRider) which distributes a backdoor referred to as Yokai. The C2 infrastructure for TONESHELL was erected in September 2024, though the campaign execution appears to have begun in February 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Suspected to be through previously compromised machines (exact pathway unclear).
- **Persistence/Defense Evasion:** Use of a kernel-mode rootkit driver (`ProjectConfiguration.sys`) to hide processes, files, and registry keys.
- **Code Execution:** The rootkit injects a backdoor trojan into system processes.
- **Digital Certificate Misuse:** The driver was signed with an old, stolen, or leaked digital certificate from **Guangzhou Kingteller Technology Co., Ltd** (valid 2012–2015).
- **Kernel Manipulation:** The driver interferes with the I/O stack by altering the altitude of the Microsoft Defender driver (`WdFilter.sys`) to a lower value (zero), allowing it to intercept operations before legitimate security filters.
- **Rootkit Capabilities:** Dynamically resolves kernel APIs at runtime via hashing, monitors file operations to prevent removal, and denies access to protected process IDs.
## Targeting
- **Sectors:** Government organizations.
- **Geography:** Southeast and East Asia, primarily **Myanmar and Thailand**.
- **Victims:** Unspecified entity targeted in mid-2025; previously linked to Thai entities.
## Tools & Infrastructure
- **Malware Families Used:**
- **TONESHELL:** New variant of backdoor with reverse shell and downloader capabilities. Attributed to the actor since at least late 2022.
- **Kernel-Mode Rootkit Driver:** Undocumented driver used to mask TONESHELL deployment.
- **TONEDISK (aka WispRider):** USB worm used in accessory attacks.
- **Yokai:** Backdoor distributed via TONEDISK.
- **Infrastructure (C2):** C2 infrastructure for TONESHELL was erected in September 2024.
## Implications
Mustang Panda continues to employ sophisticated, layered malware, now incorporating signed, undocumented kernel-mode rootkits to achieve deep system presence and robust defense evasion against security software (like AV components). The use of legitimate, albeit old and stolen, digital certificates highlights a focus on maintaining persistence and avoiding detection in highly sensitive environments.
## Mitigations
- Rigorous monitoring of kernel-mode driver loading and driver signing certificate legitimacy.
- Enhanced scrutiny of unusual behavior related to file deletion/rename operations and Registry key modification attempts, particularly those that bypass standard driver altitude ordering.
- Implement robust endpoint detection and response (EDR) capable of identifying process injection techniques targeting legitimate processes like `svchost.exe`.
- Maintain strict control and inventory over digital certificates owned by the organization to prevent misuse if leaked.