Chinese state-sponsored hackers have been using a sophisticated rootkit to conceal the activity of the ToneShell malware in attacks against government organizations. This new variant of the ToneShell backdoor, attributed to the Mustang Panda group, showcases advanced evasion techniques and stealth enhancements.
Security researchers at Kaspersky discovered a malicious file driver, ProjectConfiguration.sys, which has been deployed in campaigns since at least February 2025. This driver, signed with a stolen certificate, acts as a kernel-mode loader, providing protection against user-mode monitoring and leveraging rootkit capabilities to hide its activity from security tools.
The ToneShell backdoor now employs a 4-byte host ID market for identification, a significant change from the previous 16-byte GUID. It also incorporates network traffic obfuscation using fake TLS headers. The supported remote operations have been expanded, including commands for creating temporary files, downloading and uploading files, establishing remote shells, and more.
Kaspersky emphasizes the importance of memory forensics in detecting ToneShell infections, especially those backed by the new kernel-mode injector. The researchers attribute the new ToneShell backdoor to the Mustang Panda cyberespionage group, highlighting their evolving tactics for operational stealth and resilience.
To help organizations defend against Mustang Panda intrusions, Kaspersky provides a list of indicators of compromise (IoCs) in its report. Additionally, the article mentions the importance of breaking down IAM silos to ensure comprehensive business protection, drawing a parallel to the challenges posed by the ToneShell malware.
