- Mustang Panda Deployed Improved ToneShell Backdoors Against Asian Government Organizations
- The new variant uses a signed minifilter driver, allowing rootkit-like stealth and manipulation of the Defender
- Kaspersky recommends memory and IoC forensics to detect infections on compromised systems
Chinese state-sponsored threat actors, known as Mustang Panda, have been observed targeting government organizations in several Asian countries with an enhanced version of the ToneShell backdoor.
This is according to cybersecurity researchers Kaspersky, who recently analyzed a malicious file driver they found on computers belonging to government organizations in Myanmar, Thailand and others.
The driver led to the discovery of ToneShell, a backdoor that grants attackers continuous access to compromised devices, through which they can upload and download files, create new documents, and more.
Minifilters and kernel-mode drivers
The new variant came with improvements, Kaspersky added, including establishing a remote shell via a pipe, terminating the shell, canceling uploads, closing connections, creating temporary files for incoming data, and more.
ToneShell is generally used for cyber espionage campaigns. Apparently, victims’ computers were also infected with other malware, including PlugX and the ToneDisk USB worm. The campaign likely began in February 2025, researchers speculate.
But what makes this campaign really stand out is the use of a mini-filter driver signed with a stolen or leaked certificate.
“This is the first time we’ve seen ToneShell delivered via a kernel-mode loader, giving it protection against user-mode monitoring and benefiting from the driver’s rootkit capabilities that hides its activity from security tools,” Kaspersky said.
Minifilters are kernel-mode drivers that sit within the Windows file system stack and intercept file system operations in real time. They allow software to view, block, modify, or log file activity before they reach disk and are part of Microsoft’s File System Filter Manager framework.
Among other things, they let attackers manipulate Microsoft Defender, ensuring that it was not loaded into the I/O stack.
To defend against new attacks, researchers recommend memory forensics as the number one way to detect ToneShell infections. They also shared a list of indicators of compromise (IoC) that can be used to determine whether a system was attacked or not.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
