- Mustang Panda deployed upgraded ToneShell backdoors against Asian government organizations
- New variant uses signed minifilter driver that enables rootkit-like stealth and Defender manipulation
- Kaspersky advises memory forensics and IoCs to detect infections in compromised systems
Chinese state-sponsored threat actors known as Mustang Panda have been observed targeting government organizations in various Asian countries with an upgraded version of the ToneShell backdoor.
This is according to cybersecurity researchers Kaspersky, who recently analyzed a malicious file driver they found on computers belonging to government organizations in Myanmar, Thailand and others.
The driver led to the discovery of ToneShell, a backdoor that gives attackers unmitigated access to compromised devices through which they can upload and download files, create new documents, and more.
Minifilters and kernel mode drivers
The new variant came with improvements, Kaspersky added, including establishing an external shell via a pipe, terminating the shell, canceling uploads, closing connections, creating temporary files for incoming data, and more.
ToneShell is generally used for cyber espionage campaigns. The victim’s computers were also apparently infected with other malware, including PlugX and the ToneDisk USB worm. The campaign probably started in February 2025, researchers speculate.
But what makes this campaign really stand out is the use of a minifilter driver that was signed with either a stolen or leaked certificate.
“This is the first time we’ve seen ToneShell delivered through a kernel mode loader that provides it with protection against user mode monitoring and takes advantage of the driver’s rootkit features that hide its activity from security tools,” Kaspersky said.
Minifilters are kernel mode drivers that sit inside the Windows file system stack and intercept file system operations in real time. They let software see, block, modify, or log file activity before it reaches disk, and are part of Microsoft’s File System Filter Manager framework.
Among other things, they let the attackers tamper with Microsoft Defender and made sure that it is not loaded into the I/O stack.
To defend against the new attacks, the researchers advise memory forensics as the best way to detect ToneShell infections. They also shared a list of indicators of compromise (IoC) that can be used to determine whether a system was attacked or not.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
