- Mustang Panda used a signed kernel-mode minifilter driver to load a new TONESHELL backdoor in mid-2025.
- The malicious driver protects files, processes, and registry keys and injects TONESHELL into a spawned
svchost.exe. - TONESHELL connects to C2 domains over TCP port 443 and supports file transfer and a remote shell.
- Detection requires memory forensics because key components execute in memory and the driver hides API usage and I/O operations.
Mustang Panda deployed a previously undocumented kernel-mode rootkit driver in an attack detected in mid-2025 against an entity in Asia, with campaigns targeting government organizations in Myanmar and Thailand, according to Kaspersky. The driver registers as a Microsoft.com/en-us/Windows-hardware/drivers/ifs/about-file-system-filter-drivers”>minifilter driver, a type of file system filter that sits in the I/O stack to monitor or modify file operations.
The driver binary, named “ProjectConfiguration.sys,” is signed with a certificate issued to Guangzhou Kingteller Technology Co., Ltd that was valid from 2012 to 2015. “The driver file is signed with an old, stolen, or leaked digital certificate,” the report stated.
The Malware bundles two user-mode shellcodes embedded in the .data section and injects a small delay shellcode and then the TONESHELL backdoor into the same spawned svchost.exe. “The rootkit functionality protects both the driver’s own module and the user-mode processes into which the backdoor code is injected,” researchers said.
Key driver capabilities include resolving kernel APIs by hashing, blocking file-delete and file-rename operations, denying access to protected registry keys via a RegistryCallback routine, and intercepting process operations for listed process IDs. The driver also alters the altitude used by filters (see allocated altitudes) to bypass lower-altitude antivirus filters.
The TONESHELL implant establishes a TCP connection to C2 domains (for example, avocadomechanism[.]com and potherbreference[.]com) over port 443. Commands include creating temporary files, downloading and uploading files, canceling transfers, establishing a remote shell, receiving operator commands, and closing the connection.
Researchers note this is the first observed use of a kernel-mode loader for TONESHELL, increasing stealth and resilience. Memory forensics is required to detect the in-memory shellcode and confirm infection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Crypto Markets See $100B Liquidation; $3T Drop Sparks Doubt?
- Bitcoin May Close First-Ever Red Post-Halving Year Amid ETF.
- Lighter’s 50/50 LIT tokenomics sparks whale bets, debate now
- Silver Fox uses tax-themed phishing to deliver ValleyRAT now
- India’s 2026 BRICS Presidency Champions Global South Voices.
