- Mustang Panda deployed enhanced ToneShell backdoors against Asian government organizations
- New variant uses signed mini-filter driver, enabling rootkit-style stealth and Defender tampering
- Kaspersky advises memory scanning and IoC to detect infections in compromised systems
Chinese state-sponsored threat actors, known as Mustang Panda, have been observed targeting government organizations in various Asian countries with an enhanced version of the ToneShell backdoor.
This is according to cybersecurity researcher Kaspersky, who recently analyzed a malicious file driver found on computers belonging to government organizations in Myanmar, Thailand and elsewhere.
The pilot led to the discovery of ToneShell, a backdoor that allows attackers unrelenting access to compromised devices, through which they can upload and download files, create new documents, and much more.
Mini-filters and kernel-mode drivers
The new variant has improvements, Kaspersky added, including establishing a remote shell through a channel, terminating the shell, canceling downloads, closing connections, creating temporary files for incoming data, and more.
ToneShell is typically used for cyberespionage campaigns. Victims’ computers were apparently also infected with other malware, including PlugX and the ToneDisk USB worm. The campaign likely began in February 2025, the researchers speculate.
But what really sets this campaign apart is the use of a mini-filter driver signed with a stolen or leaked certificate.
“This is the first time ToneShell has shipped via a kernel-mode loader, giving it protection against user-mode surveillance and benefiting from the driver’s rootkit capabilities that hide its activity from security tools,” Kaspersky said.
Mini-filters are kernel-mode drivers that sit in the Windows file system stack and intercept file system operations in real time. They allow the software to see, block, modify or log file activity before they reach the disk and are part of Microsoft’s File System Filter Manager framework.
Among other things, they allow attackers to tamper with Microsoft Defender, ensuring that it is not loaded into the I/O stack.
To defend against new attacks, researchers advise memory scanning as the number one way to detect ToneShell infections. They also shared a list of indicators of compromise (IoCs) that can be used to determine whether or not a system has been attacked.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
