Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver

Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver

Pierluigi Paganini
December 30, 2025

China-linked APT Mustang Panda used a signed kernel-mode rootkit driver to load shellcode and deploy its ToneShell backdoor.

China-linked APT Mustang Panda (aka Hive0154, HoneyMyte, Camaro Dragon, RedDelta or Bronze President) was observed using a signed kernel-mode rootkit driver with embedded shellcode to deploy its ToneShell backdoor.

Mustang Panda has been active since at least 2012, targeting American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. 

In mid-2025, Kaspersky researchers discovered a malicious kernel driver on systems in Asia, signed with a stolen or leaked certificate and installed as a mini-filter driver. Its purpose is to protect malicious components and inject a backdoor into system processes.

“The driver file is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd., with a serial number of 08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F. The certificate was valid from August 2012 until 2015.” reads the report published by Kaspersky.

“We found multiple other malicious files signed with the same certificate which didn’t show any connections to the attacks described in this article. Therefore, we believe that other threat actors have been using it to sign their malicious tools as well.”

The final payload is a new variant of the ToneShell backdoor, which enables remote access and command execution. ToneShell is linked exclusively to the Mustang Panda APT. The campaign targeted government entities in Southeast and East Asia, especially Myanmar and Thailand, with attacks likely starting in February 2025.

The malicious driver, named ProjectConfiguration.sys, installs itself as a kernel mini-filter and contains two user-mode shellcodes that execute in separate threads. It dynamically resolves Windows APIs using hashed values to hide its behavior and injects the ToneShell backdoor into system processes.

The driver protects itself by blocking file deletion or renaming attempts and by safeguarding specific registry keys through registered callbacks, returning access-denied errors. It deliberately uses a high filter altitude to intercept operations before antivirus drivers and even disables Microsoft Defender’s WdFilter.

“Finally, the malware tampers with the altitude assigned to WdFilter, a key Microsoft Defender driver. It locates the registry entry containing the driver’s altitude and changes it to 0, effectively preventing WdFilter from being loaded into the I/O stack.” continues the report.

To protect injected processes, it intercepts handle creation and duplication, denying access to protected PIDs. The driver spawns an svchost process, injects a delay shellcode, then injects the final ToneShell payload, maintaining protection until execution completes, after which it removes traces and terminates the process.

The final attack stage deploys ToneShell marking the first observed use of a kernel-mode loader to deliver it. This approach shields the malware from user-mode monitoring and leverages rootkit features to evade security tools. Unlike earlier variants that used GUIDs, this version creates or validates a host ID via a marker file (C:\ProgramData\MicrosoftOneDrive.tlb), generating a pseudo-random identifier if absent. ToneShell communicates with C2 servers over raw TCP on port 443, masking traffic with fake TLS 1.3 headers and encrypted payloads.

It supports file transfer, remote shell access, session control, and command execution, enabling full remote control of infected systems.

“We assess with high confidence that the activity described in this report is linked to the HoneyMyte threat actor. This conclusion is supported by the use of the ToneShell backdoor as the final-stage payload, as well as the presence of additional tools long associated with HoneyMyte – such as PlugX, and the ToneDisk USB worm – on the impacted systems.” concludes the report. “Because the shellcode executes entirely in memory, memory forensics becomes essential for uncovering and analyzing this intrusion. Detecting the injected shellcode is a key indicator of ToneShell’s presence on compromised hosts.”

In September, Mustang Panda was spotted using an updated version of the TONESHELL backdoor and a previously undocumented USB worm called SnakeDisk.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon