"The Chinese hacking group known as Mustang Panda has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand."
""The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines," the Russian cybersecurity company said. "Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys." The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts."
Mustang Panda deployed a previously undocumented kernel-mode rootkit driver to install a new TONESHELL backdoor during a mid-2025 attack against an unspecified Asian entity. The driver registers as a minifilter, injects a backdoor into system processes, and provides protection for malicious files, user-mode processes, and registry keys. The driver file is signed with an old, stolen, or leaked digital certificate issued to Guangzhou Kingteller Technology Co., Ltd, valid from August 2012. TONESHELL offers reverse shell and downloader functionality to fetch next-stage malware and has been observed since late 2022. Command-and-control infrastructure dates to September 2024, with the campaign likely starting February 2025. Initial access is unclear but likely involved previously compromised machines. Related activity includes TONEDISK (WispRider) and a Yokai backdoor targeting Thai entities as recently as September 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]