Mustang Panda Deploys Kernel-Mode Rootkit to Conceal TONESHELL Backdoor

Kaspersky researchers have uncovered a new tactic from Mustang Panda: the Chinese state-sponsored group is now deploying a kernel-mode rootkit to hide its TONESHELL backdoor from security tools. The development marks the first time TONESHELL has been delivered through a kernel-level loader, a significant escalation in the group's evasion capabilities.

The campaign targeted government organizations across Myanmar, Thailand, and other Southeast Asian countries starting in early 2025. Mustang Panda—also tracked as HoneyMyte and Bronze President—has long focused on espionage operations against governments and organizations in the Asia-Pacific region.

How the Rootkit Works

The malicious driver, named "ProjectConfiguration.sys," gains kernel-level access to compromised systems. From that privileged position, it can:

• Hide malicious processes and files from user-mode security tools
• Intercept and filter I/O operations before they reach antivirus software
• Disable Microsoft Defender by modifying the WdFilter driver configuration
• Ensure priority over security products by selecting a mini-filter altitude above the antivirus-reserved range

Traditional endpoint security operates largely in user mode. By running at kernel level, the rootkit sits below the visibility of most detection tools. Security software sees what the rootkit allows it to see.

Stolen Certificate Adds Legitimacy

The driver is signed with a digital certificate from Guangzhou Kingteller Technology Co., Ltd., a Chinese company involved in ATM distribution. The certificate was valid from 2012 to 2015, meaning the attackers are using an expired but previously legitimate credential.

Researchers found other unrelated malicious files signed with the same certificate, suggesting it was either stolen or leaked rather than directly obtained by Mustang Panda. Threat actors trading and reusing stolen certificates is common—once a signing key leaks, it becomes a shared resource in underground markets.

Windows treats signed drivers with more trust than unsigned ones. While the expired timestamp limits effectiveness against fully updated systems, organizations running older Windows versions or less strict driver signature enforcement remain vulnerable.

TONESHELL Gets an Upgrade

TONESHELL itself is a backdoor used exclusively by Mustang Panda. Previous versions were delivered through more conventional means—phishing documents, DLL sideloading, and legitimate application hijacking. The kernel-mode delivery represents an evolution.

With the rootkit in place, TONESHELL shellcode executes entirely in memory. No files touch disk after initial deployment. Memory forensics becomes the primary detection method, which many organizations lack the capability to perform routinely.

The backdoor provides standard remote access functionality: command execution, file operations, and data exfiltration. What's changed is visibility. Security teams may not realize TONESHELL is present until network monitoring catches anomalous outbound connections—if they catch them at all.

Detection Challenges

Kernel-mode rootkits create fundamental detection problems. When malware controls what the operating system reports to security tools, those tools can't trust their own observations.

Kaspersky recommends:

1. Memory forensics as the primary detection method. The shellcode runs in memory, so that's where evidence exists.
2. Network monitoring for command-and-control communications. Even hidden processes need to reach their controllers.
3. Boot-time scanning using external media or pre-boot environments where the rootkit isn't active.
4. Driver loading audits to identify unexpected kernel-mode components.

Organizations with mature security operations may catch the initial infection before the rootkit deploys. But once it's running, remediation typically requires complete system rebuilds rather than targeted cleanup.

Attribution and Targeting

Kaspersky attributes this campaign to Mustang Panda with high confidence based on TONESHELL usage, infrastructure overlap, and targeting patterns consistent with the group's history.

The focus on Southeast Asian governments fits Mustang Panda's established interests. The group has operated since at least 2012, conducting espionage aligned with Chinese foreign policy objectives. Myanmar and Thailand—both mentioned as targets—are ASEAN members navigating complex relationships with China.

Government organizations in the region should assume they're targets. The sophistication here—kernel-mode rootkits, signed drivers, memory-only payload execution—indicates resources and motivation to maintain persistent access.

Why This Matters

Mustang Panda joining the kernel-rootkit club follows a broader trend. Nation-state groups increasingly adopt techniques that were once the domain of specialized operators. When a mid-tier APT starts shipping signed kernel drivers, the bar for everyone else just dropped.

Defenders relying primarily on endpoint detection and response (EDR) tools should understand their limitations. EDR works well against user-mode threats. Against kernel-level adversaries, it becomes a cat-and-mouse game where the mouse can sometimes turn off the lights.

The stolen certificate angle matters too. Organizations concerned about software supply chain attacks should track certificate usage for their own products. If your signing key shows up on malware, you want to know immediately—not when a security vendor publishes research about someone else using it.