Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoor
Tuesday, December 30, 2025
What
Mustang Panda (aka HoneyMyte) has evolved its cyber espionage tactics by deploying a new variant of the TONESHELL backdoor via a sophisticated kernel-mode rootkit driver. This driver, named "ProjectConfiguration.sys," is signed with an old, stolen digital certificate and is designed to inject TONESHELL into system processes while protecting its malicious components from detection. The rootkit actively interferes with legitimate security drivers, such as Microsoft Defender, by manipulating their load order and operating at a high altitude in the I/O stack to evade security checks. This marks a significant advancement in the group's toolset, making TONESHELL infections harder to detect and remove.
Where
The attacks primarily target government organizations in Southeast and East Asia, specifically Myanmar and Thailand. An unspecified entity in Asia was also targeted.
When
The cyber attack was detected in mid-2025. The C2 infrastructure for TONESHELL was reportedly erected in September 2024, with the campaign itself commencing in February 2025. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. The digital certificate used to sign the driver was valid from August 2012 to 2015.
Key Factors
- •The kernel-mode rootkit driver ("ProjectConfiguration.sys") is a significant new addition to Mustang Panda's arsenal, designed to achieve high stealth and persistence by operating at a high altitude (330024+) in the I/O stack, allowing it to intercept file operations before legitimate low-altitude filters like antivirus components.
- •The driver actively interferes with security products, specifically by changing the altitude of Microsoft Defender's WdFilter.sys driver to zero, effectively preventing it from loading correctly into the I/O stack and circumventing its security checks.
- •The malicious driver is signed with an old, likely stolen or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd, a Chinese ATM company, which was valid from 2012 to 2015, indicating a supply chain compromise or a long-term acquisition of credentials.
- •The final payload, TONESHELL, is injected into an `svchost.exe` process after the driver deploys a small user-mode component, and it establishes C2 communication over TCP port 443 to domains like `avocadomechanism[.]com`, offering reverse shell and downloader capabilities.
Takeaways
- →Organizations in Southeast and East Asia, particularly government entities, should enhance their defenses against sophisticated APT groups like Mustang Panda by implementing advanced endpoint detection and response (EDR) solutions capable of kernel-mode monitoring and memory forensics.
- →The use of kernel-mode rootkits and stolen digital certificates by APT groups signifies an increasing trend towards evasive techniques that bypass traditional security layers, necessitating a shift towards proactive threat hunting and supply chain security audits.
- →Regularly audit and monitor digital certificates used within an organization, and implement strict code signing policies to prevent the execution of binaries signed with revoked, expired, or suspicious certificates.
Opens original article on The Hacker News
