{"id":479684,"date":"2025-12-30T09:04:14","date_gmt":"2025-12-30T09:04:14","guid":{"rendered":"https:\/\/www.europesays.com\/us\/479684\/"},"modified":"2025-12-30T09:04:14","modified_gmt":"2025-12-30T09:04:14","slug":"chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/us\/479684\/","title":{"rendered":"Chinese state hackers use rootkit to hide ToneShell malware activity"},"content":{"rendered":"

\"Chinese<\/p>\n

A new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations.<\/p>\n

The backdoor has been attributed to the Mustang Panda group<\/a>, also known as\u00a0HoneyMyte or Bronze President, that usually targets\u00a0government agencies<\/a>, NGOs, think tanks, and other high-profile organizations\u00a0worldwide<\/a>.<\/p>\n

Security researchers at Kaspersky analyzed a malicious file driver found on computer systems in Asia and discovered that it has been used in campaigns since at least February 2025 against government organizations in\u00a0Myanmar, Thailand, and other Asian countries.<\/p>\n

\"Wiz\"<\/a><\/p>\n

Evidence showed that\u00a0the compromised entities had prior infections with older ToneShell variants, PlugX malware, or the ToneDisk USB worm, also attributed to state-sponsored Chinese hackers.<\/p>\n

New kernel-mode rootkit<\/p>\n

According to Kaspersky, the new ToneShell backdoor was deployed by a mini-filter driver named ProjectConfiguration.sys and signed\u00a0with a stolen or leaked certificate valid between 2012 and 2015 and issued to Guangzhou Kingteller Technology Co., Ltd.<\/p>\n

Mini-filters are kernel-mode drivers that plug into the Windows file-system I\/O stack and can inspect, modify, or block file operations. Security software, encryption tools, and backup utilities\u00a0typically use<\/a>\u00a0them.<\/p>\n

ProjectConfiguration.sys embeds two user-mode shellcodes in its .data section, each executed as a separate user-mode thread to be injected into user-mode processes.<\/p>\n

To evade static analysis, the driver resolves required kernel APIs at runtime by enumerating loaded kernel modules and matching function hashes, rather than importing functions directly.<\/p>\n

It registers as a mini-filter driver and intercepts file-system operations related to deletion and renaming. When such operations target the driver itself, they are blocked by forcing the request to fail.<\/p>\n

The driver also protects its service-related registry keys by registering a registry callback and denying attempts to create or open them. To ensure priority over security products, it selects a mini-filter altitude above the antivirus-reserved range.<\/p>\n

Additionally, the rootkit interferes with Microsoft Defender by modifying the configuration of the WdFilter driver so it is not loaded into the I\/O stack.<\/p>\n

To shield injected user-mode payloads, the driver maintains a list of protected process IDs, denies handle access to those processes while the payloads are executing, and removes protection once execution completes.<\/p>\n

“This is the first time we\u2019ve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools,”\u00a0says Kaspersky<\/a>.<\/p>\n

\"AttackLatest Mustang Panda attack overview<\/strong>
Source: Kaspersky<\/p>\n

\u00a0<\/p>\n

New ToneShell variant<\/p>\n

The new variant of the ToneShell backdoor that Kaspersky analyzed features changes and stealth enhancements.\u00a0The malware now uses a new host identification scheme based on a 4-byte host ID market instead of the 16-byte GUID used previously, and also applies network traffic obfuscation with fake TLS headers.<\/p>\n

In terms of the supported remote operations, the backdoor now supports the following commands:<\/p>\n