Chinese Hackers Hide ToneShell Malware with Rootkit

A sophisticated new cyberespionage campaign is targeting government organizations across Asia, deploying a stealthy version of the ToneShell backdoor through a novel kernel-mode rootkit. Security analysts have linked this activity to the Mustang Panda hacking group, a threat actor known for targeting government bodies, non-governmental organizations, and think tanks on a global scale. Researchers at Kaspersky identified a malicious driver used in these attacks, with evidence pointing to operations against entities in Myanmar, Thailand, and other Asian nations since at least February 2025. Many of the compromised systems showed signs of prior infection from older ToneShell variants or related malware like PlugX, tools historically connected to state-sponsored Chinese cyber operations.

The attack leverages a significant evolution in technique: a new kernel-mode rootkit. The backdoor is delivered by a mini-filter driver file named `ProjectConfiguration.sys`. This driver was signed with a certificate that appears to have been stolen or leaked, originally issued to a company called Guangzhou Kingteller Technology Co., Ltd. Mini-filter drivers operate at a deep level within the Windows system, allowing them to monitor and interfere with file operations. This particular driver is engineered for maximum stealth and persistence.

To avoid detection by static analysis tools, the driver does not directly import the functions it needs. Instead, it dynamically resolves necessary kernel APIs while running by scanning loaded modules and matching hashed function names. Once active, it registers as a mini-filter and begins intercepting file-system operations. It specifically blocks any attempts to delete or rename the driver file itself, forcing those requests to fail. The rootkit also protects its registry keys by registering a callback that denies efforts to create or open them. To outmaneuver security software, it deliberately selects a priority level, or “altitude,” higher than the range typically reserved for antivirus products.

The rootkit takes additional steps to neutralize defenses. It actively interferes with Microsoft Defender by altering the configuration of the core `WdFilter` driver to prevent it from loading properly. To shield its malicious payloads once they are injected into user-mode processes, the driver maintains a list of protected process IDs. It denies access to these processes while the payloads run, only removing the protection after execution is complete. Kaspersky experts note that this marks the first observed instance of ToneShell being delivered via a kernel-mode loader, granting it formidable protection from user-mode security monitoring and leveraging rootkit capabilities to hide from tools.

The ToneShell backdoor itself has also been upgraded in this campaign. The new variant introduces several changes aimed at enhancing stealth. It now uses a streamlined, 4-byte host identification marker instead of the older 16-byte GUID system. For communication, it employs network traffic obfuscation using fake TLS headers to disguise its data exfiltration. The backdoor supports a range of remote commands for total system control, including file download and upload, establishing a remote shell, and receiving operator instructions.

Kaspersky emphasizes that memory forensics is a critical component for uncovering infections related to this new kernel-mode injector, as traditional disk-based scans may be evaded. The firm assesses with high confidence that this activity is the work of the Mustang Panda group, indicating the actor has significantly evolved its tactics to achieve greater operational stealth and resilience. A set of indicators of compromise has been published to aid organizations in detecting and defending against these intrusions.

(Source: Bleeping Computer)