malware🌐InternationalSecurity Affairs
Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver
Tuesday, December 30, 2025
What
The Mustang Panda APT utilized a kernel-mode rootkit driver, signed with a stolen/leaked certificate, to load shellcode and inject its ToneShell backdoor into system processes. This approach ensures high-privilege execution and robust evasion by disabling security features like Microsoft Defender's WdFilter and protecting its components.
Where
Government entities in Southeast and East Asia, specifically Myanmar and Thailand.
When
Attacks likely started in February 2025, with Kaspersky researchers discovering the malicious driver in mid-2025. The report was published December 30, 2025.
Key Factors
- •Mustang Panda (aka Hive0154, HoneyMyte, Camaro Dragon, RedDelta, Bronze President) deployed the ToneShell backdoor using a signed kernel-mode rootkit driver (ProjectConfiguration.sys), marking the first observed use of such a loader for ToneShell.
- •The rootkit driver operates at a high filter altitude, actively disabling Microsoft Defender's WdFilter and protecting its components by blocking file deletion/renaming and safeguarding registry keys, making detection and removal extremely difficult.
- •ToneShell communicates with C2 servers over raw TCP on port 443, masking traffic with fake TLS 1.3 headers and encrypted payloads, supporting full remote control capabilities including file transfer and shell access.
Takeaways
- →Organizations should implement memory forensics to detect the injected shellcode, as the malware executes entirely in memory, and monitor for unusual kernel-mode driver activity.
- →Strengthen supply chain security to prevent the compromise of digital certificates and enhance endpoint detection and response (EDR) solutions to identify sophisticated rootkit behaviors.
Read Full Article
Opens original article on Security Affairs
