Chinese state hackers use rootkit to hide ToneShell malware activity
Tuesday, December 30, 2025
What
Chinese state hackers, identified as the Mustang Panda group, have evolved their tactics by using a kernel-mode rootkit to deliver and conceal the ToneShell backdoor. This new approach involves a mini-filter driver, ProjectConfiguration.sys, which provides advanced stealth capabilities, including protection against user-mode monitoring and interference with security products like Microsoft Defender. The new ToneShell variant itself features enhanced obfuscation and expanded remote control commands, indicating a significant upgrade in the group's operational stealth and resilience against detection.
Where
The attacks primarily target government organizations in Asia, specifically identified in Myanmar, Thailand, and other Asian countries. The compromised entities had prior infections with older ToneShell variants, PlugX malware, or the ToneDisk USB worm.
When
The campaigns utilizing this new kernel-mode loader and ToneShell variant have been active since at least February 2025, with security researchers at Kaspersky analyzing the malicious driver and reporting their findings in December 2025.
Key Factors
- •The ProjectConfiguration.sys rootkit operates as a mini-filter driver, signed with a stolen or leaked certificate (valid 2012-2015), which allows it to inspect, modify, or block file operations and protect its own files and registry keys from deletion or modification.
- •The rootkit enhances stealth by resolving required kernel APIs at runtime to evade static analysis, selecting a mini-filter altitude above the antivirus-reserved range, and actively interfering with Microsoft Defender by modifying the configuration of the WdFilter driver.
- •To shield injected user-mode payloads, the driver maintains a list of protected process IDs, denying handle access to those processes while the payloads are executing, and removing protection once execution completes.
- •The new ToneShell variant incorporates a new 4-byte host identification scheme, applies network traffic obfuscation with fake TLS headers, and supports an expanded set of remote operations including file transfer, remote shell establishment, and connection management.
Takeaways
- →Organizations, especially government agencies and high-profile entities in Asia, should prioritize advanced threat detection and response capabilities, including memory forensics, to uncover sophisticated kernel-mode infections.
- →The evolution of TTPs by state-sponsored groups like Mustang Panda, particularly the adoption of kernel-mode rootkits, signifies a growing challenge for traditional user-mode security solutions and demands a multi-layered defense strategy.
- →Regularly audit and monitor kernel-mode drivers, implement strict code signing policies, and ensure security products are configured to detect and prevent unauthorized kernel-level modifications to mitigate the risk of such advanced persistent threats.
Opens original article on BleepingComputer
