Mustang Panda Deploys Signed Kernel-Mode Rootkit to Stealthily Load ToneShell Backdoor

Mustang Panda, a China-linked cyber espionage group, has been caught using a new and more advanced attack technique. Security researchers found that the group is now deploying a signed kernel-mode rootkit to install a malware backdoor called ToneShell. This approach allows the attackers to hide deep inside Windows systems. As a result, the malware becomes very difficult to detect or remove.

Mustang Panda has been active for many years and is known for targeting government and public-sector organizations. The group mainly focuses on countries in Southeast and East Asia. Its operations are long-term and aimed at spying rather than quick financial gain. Myanmar and Thailand were among the countries targeted in this recent campaign.

In this attack, the hackers used a kernel-mode driver, which runs at the highest privilege level in Windows. What makes this driver dangerous is that it was digitally signed, meaning Windows treats it as trusted software. The certificate used to sign the driver is believed to be stolen or leaked. Because of this, the operating system allows the driver to load without warnings.

Once loaded, the malicious driver works as a mini-filter inside the Windows file system. It can monitor and block file operations on the system. This allows the rootkit to protect its own files and stop security tools from deleting or inspecting them. It also interferes with built-in security features, reducing their visibility.

After securing its position in the system, the rootkit injects the ToneShell backdoor into legitimate Windows processes. ToneShell gives attackers remote access to the infected machine. They can execute commands, transfer files, and control the system from a distance. This makes it a powerful tool for long-term surveillance.

ToneShell itself is not new and has been used by Mustang Panda in earlier attacks. However, delivering it through a kernel-mode rootkit is a major upgrade. Malware running at the kernel level has much more control than user-level malware. It can hide activity, bypass defenses, and survive system restarts more easily.

Researchers also observed that the rootkit protects important registry keys and configuration settings. Any attempt to modify or remove these entries is blocked by the driver. This defensive behavior helps the malware stay persistent on the system. Even advanced security tools may fail to fully clean the infection.

Experts warn that this campaign shows how advanced threat groups are continuing to improve their techniques. Using signed drivers and kernel-level malware raises the difficulty for defenders. Organizations, especially government bodies, are advised to closely monitor driver installations and system behavior. Strong endpoint monitoring and deep system analysis are now more important than ever.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news