Mustang Panda Exploits Signed Kernel-Mode Rootkit for TONESHELL Backdoor
The Chinese hacking group Mustang Panda has employed a previously undocumented kernel-mode rootkit driver to deploy a new backdoor called TONESHELL in a cyber attack detected in mid-2025. The threat was observed by Kaspersky, which identified the TONESHELL variant in espionage campaigns targeting an unspecified entity in Asia.
Background on Mustang Panda
Mustang Panda is a well-known Chinese state-sponsored hacking group that has been active since 2014. The group is known for its sophisticated attacks, including advanced persistent threats (APTs) and data theft campaigns.
Techniques Used by Mustang Panda
- Kernel-Mode Rootkit: The rootkit driver used in this attack is signed, making it difficult to detect and remove for antivirus software. This type of rootkit operates at the kernel level, giving it extensive control over the operating system.
- TONESHELL Backdoor: TONESHELL is a highly evasive backdoor that can be used to remotely control the infected machine. It is capable of stealing data, installing additional malware, and modifying system settings without being detected by typical security software.
The Impact of This Attack
This attack highlights the continued threat posed by state-sponsored actors using advanced techniques to evade detection. The use of a signed kernel-mode rootkit demonstrates the sophistication required for such operations, which can persist on a system even after a full cleanup.
Threat Analysis
- Threat Type: Malware
- Criticality Score: 7/10
- CVE IDs: None (as of now)
The criticality score reflects the high level of sophistication in both the rootkit and backdoor used, making it a significant threat to the targeted entities.
Prevention and Mitigation
- Security Updates: Ensure that all software, including operating systems and antivirus software, are up to date with the latest security patches.
- Behavioral Analysis: Implement advanced threat detection tools that can identify suspicious behavior at the kernel level.
- Evasion Techniques: Regularly update detection techniques to include known evasion methods used by attackers.
Conclusion
The discovery of Mustang Panda's use of a signed kernel-mode rootkit for TONESHELL underscores the evolving threat landscape in cybersecurity. Continued vigilance and proactive measures are essential to protect against sophisticated attacks like these.