Mustang Panda Elevates Cyber Espionage with Novel Kernel-Mode Rootkit
The notorious Chinese advanced persistent threat (APT) group, Mustang Panda, has significantly escalated its cyber espionage capabilities by deploying a previously undocumented kernel-mode rootkit driver. This sophisticated new tool is being used to deliver a fresh variant of their infamous TONESHELL backdoor, as revealed by Kaspersky researchers following a mid-2025 cyber attack targeting an unspecified entity in Asia.
The findings underscore Mustang Panda’s persistent focus on government organizations across Southeast and East Asia, with Myanmar and Thailand being primary targets. This latest evolution in their arsenal demonstrates a clear intent to enhance stealth, persistence, and evasion techniques against modern cybersecurity defenses.
The Stealthy Kernel-Mode Rootkit: A Deep Dive
Kaspersky’s analysis highlights the rootkit driver’s cunning design. “The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines,” the cybersecurity firm reported. This allows the rootkit to embed itself deep within the operating system, operating with elevated privileges and making detection and removal exceptionally difficult.
A Stolen Signature: The Guangzhou Kingteller Connection
The malicious driver, named “ProjectConfiguration.sys,” bears a digital certificate from Guangzhou Kingteller Technology Co., Ltd., a Chinese company specializing in ATM distribution. Intriguingly, this certificate was valid between August 2012 and 2015. Given that other unrelated malicious artifacts have been observed using the same certificate, it’s strongly suspected that Mustang Panda leveraged a leaked or stolen certificate to lend an air of legitimacy to their illicit operations.
Rootkit’s Defensive Arsenal: Evading Detection
Once deployed, the rootkit’s primary objective is to inject the TONESHELL backdoor into system processes and then provide robust protection for malicious files, user-mode processes, and registry keys. Its advanced features include:
- Dynamic API Resolution: Resolves kernel APIs at runtime using hashing algorithms, making static analysis harder.
- Self-Preservation: Monitors file-delete and file-rename operations to prevent its own removal or alteration.
- Registry Protection: Denies attempts to create or open protected Registry keys by setting up a high-altitude RegistryCallback routine.
- Microsoft Defender Interference: Manipulates the altitude of Microsoft Defender’s WdFilter.sys driver, changing it to zero (from its default 328010) to prevent it from loading correctly into the I/O stack.
- Process Protection: Intercepts process-related operations, denying access to any process on its protected list, only removing protection once execution completes.
Kaspersky emphasized the significance of the rootkit’s chosen altitude: “Microsoft designates the 320000–329999 altitude range for the FSFilter Anti-Virus Load Order Group. The malware’s chosen altitude exceeds this range. Since filters with lower altitudes sit deeper in the I/O stack, the malicious driver intercepts file operations before legitimate low-altitude filters like antivirus components, allowing it to circumvent security checks.”
TONESHELL: The Persistent Backdoor
The ultimate payload delivered by this sophisticated rootkit is TONESHELL, an implant with powerful reverse shell and downloader capabilities. TONESHELL has been a staple in Mustang Panda’s toolkit since at least late 2022. Recent activities, as late as September 2025, linked the threat actor to attacks on Thai entities, often paired with the TONEDISK (aka WispRider) USB worm, which uses removable devices to spread another backdoor known as Yokai.
Command and Control: A New Infrastructure
The command-and-control (C2) infrastructure for TONESHELL, utilizing domains like “avocadomechanism[.]com” or “potherbreference[.]com” over TCP port 443, is believed to have been established in September 2024, with campaigns commencing in February 2025. Once active, TONESHELL can:
- Create temporary files for incoming data.
- Download and upload files.
- Establish and terminate remote shells via pipes.
- Receive and execute operator commands.
The Broader Implications and Detection Challenges
The deployment of TONESHELL via a kernel-mode loader marks a significant advancement for Mustang Panda, enabling them to conceal their activities from many traditional security tools. The exact initial access vector remains unclear, though it’s suspected that compromised machines were leveraged to deploy the malicious driver.
This development underscores Mustang Panda’s evolving toolset, designed to maintain persistence and hide their backdoors more effectively. Kaspersky notes that memory forensics will be crucial for analyzing new TONESHELL infections, as the shellcode executes entirely in memory, leaving fewer traces on disk. This new threat highlights the critical need for advanced detection capabilities and a multi-layered security approach to counter increasingly sophisticated cyber espionage campaigns.
For more details, visit our website.
Source: Link
