Mustang Panda ToneShell Kernel Rootkit: Signed Driver Elevates Windows Espionage

Chinese state‑linked operators have quietly upgraded the ToneShell backdoor with kernel‑level stealth, delivering it through a signed Windows mini‑filter driver that can blind endpoint defenses and entrench espionage footholds inside government networks across Asia.

Background​

Researchers observed a campaign, active in mid‑2025, in which the threat cluster tracked as Mustang Panda (also known as HoneyMyte / HoneyMyte / Hive0154 / Bronze President in vendor taxonomy) used a kernel‑mode mini‑filter driver to load a new ToneShell variant on victim machines. The loader—reported to install as a file system mini‑filter—contains embedded user‑mode shellcode and protects both the kernel module and any injected user‑mode processes from inspection and removal. This technique elevates ToneShell from a user‑mode remote access trojan (RAT) to a stealthy, rootkit‑style implant that can manipulate the I/O stack and interfere with Microsoft Defender’s ability to inspect or block malicious activity. Kaspersky’s analysis identified the driver under the filename ProjectConfiguration.sys and found it signed by a digital certificate issued to a Chinese company; researchers concluded the certificate was likely stolen or leaked because multiple unrelated malicious artifacts have been signed with the same credential. IBM X‑Force and other industry observers independently corroborated the presence of advanced ToneShell variants, and several security outlets confirmed the use of kernel loaders as the distinguishing evolution in the campaign.

---

Overview: what changed in ToneShell campaigns​

From user‑mode RAT to kernel‑assisted persistence​

ToneShell historically operated in user space, providing remote shell access, file transfer, and basic reconnaissance for long‑term espionage operations. The key changes observed in this campaign are:

• Deployment via a kernel‑mode mini‑filter driver that registers in the Windows File System Filter Manager stack.
• The driver is digitally signed with an apparently compromised certificate, allowing it to load as a signed driver and evade some kernel‑integrity checks.
• The loader contains embedded user‑mode shellcode which spawns and injects the ToneShell backdoor into higher‑privilege processes, while the driver itself implements protection and concealment for both kernel and user artifacts.
• The mini‑filter can intercept and tamper with file system operations, including preventing deletion or renaming of artifacts and adjusting filter altitude to block Defender from loading into the I/O stack.

These changes shift the detection and response model: standard EDR agents that operate in user space become far less effective when a kernel‑mode component deliberately obstructs their view and access.

Why a mini‑filter matters​

Mini‑filters live in the file system I/O path and can intercept operations such as create, read, write, and delete. By positioning malicious code at this level, an attacker can:

• Hide files or activity from user‑mode scanners before they reach disk,
• Block forensic or AV attempts to delete or quarantine artifacts,
• Interfere with security products’ ability to enumerate handles or open process memory,
• Manipulate Microsoft Defender’s filter altitude to ensure Defender is loaded beneath (or bypassed entirely by) the malicious filter.

The result is rootkit‑like stealth without the need for exotic kernel exploits—abuse of legitimate File System Filter Manager APIs combined with a signed driver is sufficient to achieve durable concealment on many systems.

---

The technical anatomy: what the researchers found​

Components and behavior​

Kaspersky’s write‑up describes a multi‑stage deployment:

1. Signed kernel driver (ProjectConfiguration.sys) registered as a mini‑filter. The driver contains two distinct user‑mode shellcodes embedded in its data section and resolves required kernel APIs dynamically at runtime.
2. The driver spawns threads that execute the shellcodes, which in turn create user‑mode payloads (ToneShell) injected into legitimate processes (for example, service host processes) so the backdoor runs under trusted process names.
3. The driver implements self‑protection routines: blocking AV‑driven file operations, intercepting attempts to modify the driver or its keys, and tampering with Defender’s altitude so the malicious filter sits beneath the legitimate security product in the I/O stack.
4. ToneShell provides a remote shell over named pipes or network channels, file upload/download, command execution, and the ability to create temporary files for incoming data and manage C2 communications.

Signed but not legitimate​

The signing certificate Kaspersky identified was issued to Guangzhou Kingteller Technology Co., Ltd., with a serial number and validity window that suggest the certificate is expired and likely compromised. Multiple unrelated malicious files using the same certificate were found during telemetry analysis, which supports the hypothesis that the signing key was leaked or stolen and subsequently abused by multiple actors. While a signed driver makes loading easier and can reduce immediate suspicion, the presence of an odd or expired certificate is a red flag for defenders performing driver inventory checks.

Associated tooling and campaign pattern​

Victim systems weren’t limited to ToneShell; researchers found additional artifacts consistent with preceding or parallel infections:

• PlugX Remote Access Trojan (historically associated with this cluster),
• ToneDisk / SnakeDisk USB‑worm‑family artifacts used for removable media propagation,
• Other loaders and persistence mechanisms indicating the actor uses layered tooling to maintain access.

Telemetry and domain registration analysis suggest some C2 domains were registered in late 2024 and that intrusive activity escalated in early 2025, with infections across Myanmar, Thailand and neighboring countries among the most affected. These geographic and toolset patterns align with previous Mustang Panda activity.

---

Attribution and motives​

Multiple vendors and intelligence teams consistently map ToneShell deployments to the Mustang Panda cluster, a long‑running espionage actor that targets government, diplomatic, and research organizations. Mustang Panda’s TTPs—spear‑phishing, living‑off‑the‑land execution, and reuse of PlugX/ToneDisk families—match the artifacts observed in the driver‑based campaign. The use of specialized implants such as ToneShell strongly suggests targeted cyber‑espionage objectives (data theft, prolonged surveillance, and access persistence) rather than opportunistic financially motivated crime. Caveat: while multiple industry sources and telemetry overlap on tooling and victimology, nation‑state attribution is inherently probabilistic and should be treated as an operational assessment rather than incontrovertible proof. Where the analysis relies on tool overlap and targeting choices rather than explicit operator signatures, label the assessment as high‑confidence but not absolute.

---

Detection: why memory forensics is central​

Kaspersky and other analysts emphasize memory forensics as the highest‑value detection method for these infections. The kernel loader’s protective measures can hide on‑disk indicators, tamper with Defender’s I/O stack position, and prevent straightforward AV deletion. Memory analysis bypasses some of these obstacles because it can reveal injected payloads, active network connections, in‑memory strings and open handles that the kernel driver attempts to conceal.
Key detection steps and priorities for incident responders:

• Conduct volatile memory captures from suspected hosts and analyze with tools that support Windows kernel structures and process memory carving.
• Look for injected modules in legitimate processes (svchost, explorer, etc., suspicious named pipes, and unusual reverse shells or C2 beaconing in memory.
• Enumerate minifilter registrations and filter altitudes to identify non‑standard or unexpected filters, then correlate to driver signing metadata and certificate serials.
• Inspect kernel call stacks for unusual callbacks in FS‑related IRP handling and analyze driver exports for shellcode loaders embedded in data sections.
• Query system event logs and Defender logs for unusual filter installation or altitude changes, and cross‑check driver signature metadata against known‑bad serial numbers.

Practical note: many standard EDR consoles will show limited telemetry when a kernel filter actively blocks handles and access. Where possible, collect forensic images (memory + disk) using trusted, offline capture tools and move analysis to an isolated forensic workstation.

---

Indicators of compromise (IoCs) and hunting pointers​

Researchers published a set of IoCs for this campaign. While defenders should treat IoCs as a starting point rather than the full detection solution, the following classes of indicators are immediately useful:

• Filenames and driver artifacts: e.g., ProjectConfiguration.sys and any similarly named mini‑filter drivers observed in ProgramData or System32\drivers that are not consistent with known vendor drivers.
• Certificate serial numbers and signer metadata matching the Guangzhou Kingteller certificate identified by researchers.
• Network indicators: C2 domains and IPs registered in September 2024 and used for ToneShell beacons (perform offline verification before blocking; domains can be reused).
• Related malware families on disk or memory: PlugX binaries, ToneDisk USB worm artifacts, and other legacy Mustang Panda payloads.
• Behavioral signatures: presence of unusual filter altitudes, inability to delete drivers or associated keys, and unexpected named pipes or reverse shells keyed to injected processes.

Caution: IoCs age quickly. Emphasize behavior‑based detection and memory hunting (strings, network sockets in memory, injected threads) over blind reliance on static hashes.

---

Practical mitigations for Windows administrators​

Immediate steps to harden environments and respond if you suspect compromise:

1. Isolate suspected hosts: Remove network connectivity, preserve volatile memory (capture RAM), and perform disk imaging for offline analysis.
2. Perform memory forensics: Use trusted capture and analysis tooling to detect injected ToneShell modules and kernel hooks.
3. Validate driver inventory: Enumerate installed mini‑filters and driver certificate metadata across endpoints; flag any unexpected signed drivers for investigation.
4. Harden driver loading: Enforce secure driver policies where possible (kernel code integrity and secure boot), restrict local admin rights to limit driver installation capability, and use code integrity policies to only allow explicitly trusted driver signatures.
5. Patch and restrict attack surface: Apply least‑privilege, patch remote management services, and control removable media execution policies to reduce USB worm propagation risk.
6. Network egress controls: Use egress filtering to limit unauthorized outbound connections and monitor for anomalous HTTPS/TLS connections that mimic legitimate traffic patterns.
7. Threat hunting cadence: Schedule periodic memory hunts and cross‑check for legacy Mustang Panda TTPs (PlugX indicators, odd LNK behavior, or signed artifacts) in telemetry.

Longer‑term, consider adopting an architecture where sensitive workloads have stricter kernel‑mode driver policies: block unsigned drivers, require EV code signing and hardware‑backed secure boot enforcement for managed fleets, and deploy endpoint isolation capabilities that can forcibly snapshot memory before kernel hooks block access.

---

Incident response playbook (concise)​

• Triage: Identify affected subnets and system roles (domain controllers, file servers, diplomatic endpoints).
• Contain: Segregate compromised hosts and rotate credentials for potentially exposed accounts.
• Preserve: Capture RAM, kernel memory artifacts, and driver binaries for analysis.
• Remediate: Full reimaging is the safest clean‑up when kernel‑mode loaders are present—rootkit components are notoriously difficult to remove reliably.
• Recover: Restore from known‑good backups, ensure vulnerable vectors are closed, and perform post‑mortem to identify how initial access occurred.
• Report and coordinate: Share IoCs internally and with peer organizations; coordinate with national cyber authorities if public‑sector compromise is suspected.

---

Strategic implications and risk analysis​

Strengths of the adversary’s approach​

• The kernel‑mode loader provides significant stealth advantages and long dwell times.
• Use of a signed driver (even with an expired certificate) reduces immediate blocking by some security controls that trust signatures.
• Layered tooling (USB worms, PlugX, ToneShell) affords multiple persistence and lateral movement options, complicating eradication.
• Targeting of government and diplomatic entities maximizes intelligence value for the operator.

Defender challenges and risks​

• EDR/AV blind spots: When kernel‑mode components modify the file system stack, user‑mode detectors and many EDR sensors can be disabled or misled.
• Forensic complexity: Reliable identification and eradication require memory forensics and often full reimaging—resource‑intensive actions that many organizations are unprepared to execute at scale.
• Certificate abuse: Leaked or stolen signing keys undermine trust in code signing — defenders must treat driver signing metadata critically and correlate with telemetry rather than accepting signatures at face value.
• Supply chain overlap: Signed drivers from legitimate vendors can be abused; procurement and asset teams must maintain driver inventories and verify provenance.

What to watch next​

• Copycat tactics: The use of signed mini‑filters is likely to be replicated by other actors if defenders do not harden driver loading and signing policies.
• Credential theft: Once persistent access is achieved at scale, expect follow‑on operations for credential harvesting and cloud token theft.
• Air‑gap bridging: USB worm families like ToneDisk/SnakeDisk show targeted attempts to bridge high‑security air‑gapped or segmented networks using removable media.

When high‑value government targets are involved, the focus should be on resilience and early detection via memory analysis, not just signature updates.

---

Recommendations for WindowsForum readers and system owners​

• Prioritize memory capture capabilities and train incident response teams in kernel‑level forensic analysis.
• Maintain an inventory of installed drivers and their signing certificates; flag anomalies and expired certificates for investigation.
• Implement driver code integrity and secure boot where feasible to reduce the risk of kernel‑mode implant execution.
• Use egress filtering and proxy inspection to detect anomalous outbound channels that may host ToneShell C2 traffic.
• Apply least privilege for administrative accounts and enforce multi‑factor authentication to reduce the impact of credential theft.
• Rotate certificates and secrets after an incident; treat any evidence of driver signing compromise as high risk and assume broader reuse of the key.

---

Conclusion​

The shift of ToneShell delivery into kernel space via a signed mini‑filter driver is a significant escalation in operational tradecraft. It demonstrates a pragmatic, effective method for state‑aligned operators to obtain durable, stealthy access while actively undermining the capabilities of traditional EDR and antivirus products. Defenders must adapt: prioritize memory forensics, harden driver loading policies, and treat signed drivers—especially those with unusual or expired certificates—with a high degree of skepticism. For organizations protecting government and diplomatic assets, the message is stark: detection windows are narrowing and the cost of delayed response can be a protracted, costly compromise that demands full‑scale incident response and rebuilds.

---

Source: TechRadar Researchers identify new ToneShell backdoor targeting government agencies