Uncovering the Intricate Tactics of Chinese State Hackers: The Use of Rootkit to Conceal ToneShell Malware Operations

A recent instance of the ToneShell backdoor, commonly associated with Chinese cyberespionage operations, has been distributed through a kernel-mode loader in targeted attacks against governmental entities.

The backdoor has been linked to the Mustang Panda group, also known as HoneyMyte or Bronze President, which typically focuses on government agencies, non-governmental organizations (NGOs), think tanks, and other prominent organizations on a global scale.

Security analysts at Kaspersky investigated a malicious file driver discovered on computer systems in Asia and found that it has been utilized in campaigns targeting government entities in Myanmar, Thailand, and other Asian nations since at least February 2025.

Evidence suggests that the compromised organizations had prior encounters with older versions of ToneShell, PlugX malware, or the ToneDisk USB worm, which are also associated with state-sponsored Chinese hackers.

New kernel-mode rootkit

According to Kaspersky, the new iteration of the ToneShell backdoor was deployed through a mini-filter driver named ProjectConfiguration.sys and signed with a certificate, issued to Guangzhou Kingteller Technology Co., Ltd., that was either stolen or leaked and valid between 2012 and 2015.

Mini-filters are kernel-mode drivers that integrate into the Windows file-system I/O stack, allowing them to monitor, modify, or block file operations. These drivers are commonly utilized by security software, encryption tools, and backup utilities.

ProjectConfiguration.sys contains two user-mode shellcodes in its .data section, each executed as distinct user-mode threads to be injected into user-mode processes.

To evade static analysis, the driver dynamically resolves necessary kernel APIs by scanning loaded kernel modules and matching function hashes instead of directly importing functions.

It registers as a mini-filter driver and intercepts file-system operations related to deletion and renaming. When these operations target the driver itself, they are obstructed by deliberately causing the request to fail.

The driver also secures its service-related registry keys by employing a registry callback and preventing attempts to create or access them. To ensure precedence over security products, it selects a mini-filter altitude above the range reserved for antivirus software.

Furthermore, the rootkit disrupts Microsoft Defender by altering the configuration of the WdFilter driver to prevent it from loading into the I/O stack.

To shield injected user-mode payloads, the driver maintains a list of protected process IDs, restricts handle access to those processes while the payloads are running, and lifts the protection after execution completion.

“This marks the first instance of ToneShell being distributed through a kernel-mode loader, granting it immunity from user-mode monitoring and leveraging the rootkit capabilities of the driver to conceal its operations from security tools,” as stated by Kaspersky.

New ToneShell variant

The latest version of the ToneShell backdoor examined by Kaspersky showcases modifications and enhancements to enhance stealth. The malware now employs a new host identification method based on a 4-byte host ID marker instead of the 16-byte GUID used previously, and incorporates network traffic obfuscation through fake TLS headers.

In relation to remote operations supported, the backdoor now accommodates the following commands:

• 0x1 — Create a temporary file for incoming data
• 0x2 / 0x3 — Download file
• 0x4 — Cancel download
• 0x7 — Establish a remote shell via a pipe
• 0x8 — Receive operator command
• 0x9 — Terminate shell
• 0xA / 0xB — Upload file
• 0xC — Cancel upload
• 0xD — Close connection

Kaspersky recommends that memory forensics play a crucial role in uncovering ToneShell infections facilitated by the new kernel-mode injector.

The researchers express high confidence in attributing the new ToneShell backdoor sample to the Mustang Panda cyberespionage group. They believe that the threat actor has advanced its strategies, tactics, and procedures to enhance operational stealth and resilience.

The cybersecurity firm includes in its report a concise list of indicators of compromise (IoCs) to aid organizations in detecting Mustang Panda intrusions and fortifying their defenses.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide