BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Mustang Panda Uses Kernel Rootkit to Deploy TONESHELL in SEA

Mustang Panda deploys a signed kernel-mode minifilter rootkit to inject TONESHELL into svchost.exe, protect files/registry/processes, and connect to C2 over TCP/443 — detection requires memory forensics.

  • Mustang Panda used a signed kernel-mode minifilter driver to load a new TONESHELL backdoor in mid-2025.
  • The malicious driver protects files, processes, and registry keys and injects TONESHELL into a spawned svchost.exe.
  • TONESHELL connects to C2 domains over TCP port 443 and supports file transfer and a remote shell.
  • Detection requires memory forensics because key components execute in memory and the driver hides API usage and I/O operations.

Mustang Panda deployed a previously undocumented kernel-mode rootkit driver in an attack detected in mid-2025 against an entity in Asia, with campaigns targeting government organizations in Myanmar and Thailand, according to Kaspersky. The driver registers as a Microsoft.com/en-us/Windows-hardware/drivers/ifs/about-file-system-filter-drivers”>minifilter driver, a type of file system filter that sits in the I/O stack to monitor or modify file operations.

- Advertisement -

The driver binary, named “ProjectConfiguration.sys,” is signed with a certificate issued to Guangzhou Kingteller Technology Co., Ltd that was valid from 2012 to 2015. “The driver file is signed with an old, stolen, or leaked digital certificate,” the report stated.

The Malware bundles two user-mode shellcodes embedded in the .data section and injects a small delay shellcode and then the TONESHELL backdoor into the same spawned svchost.exe. “The rootkit functionality protects both the driver’s own module and the user-mode processes into which the backdoor code is injected,” researchers said.

Key driver capabilities include resolving kernel APIs by hashing, blocking file-delete and file-rename operations, denying access to protected registry keys via a RegistryCallback routine, and intercepting process operations for listed process IDs. The driver also alters the altitude used by filters (see allocated altitudes) to bypass lower-altitude antivirus filters.

The TONESHELL implant establishes a TCP connection to C2 domains (for example, avocadomechanism[.]com and potherbreference[.]com) over port 443. Commands include creating temporary files, downloading and uploading files, canceling transfers, establishing a remote shell, receiving operator commands, and closing the connection.

- Advertisement -

Researchers note this is the first observed use of a kernel-mode loader for TONESHELL, increasing stealth and resilience. Memory forensics is required to detect the in-memory shellcode and confirm infection.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

IMF: Dollar stablecoins may amplify currency runs in fixed-rate economies

An IMF working paper by economist Brandon Joel Tan models how dollar stablecoins improve...

Japan Plans to Legalize Cryptocurrency ETFs, Minister Says

Japanese Finance Minister Satsuki Katayama announced plans to legalize cryptocurrency ETFs.ETFs let investors gain...

Robinhood enables AI agents for crypto trades in US

Robinhood will allow eligible US crypto traders to connect third-party AI agents for autonomous...

Musk directs Tesla to adopt Grok 4.5 for lower token costs

Elon Musk directed Tesla staff to adopt xAI's Grok 4.5, citing lower token costs...

Bitcoin Surges to $65K Amid Multiple Bullish Catalysts

Bitcoin rallied above $64,600 on July 10, climbing more than 15% from its July...

Must Read

Top 9 Most Legit Bitcoin Faucets

Bitcoin faucets are platforms where you can earn Bitcoin free. Some other faucet apps and websites allow users to receive different cryptocurrencies for free....
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading