Mustang Panda Employs Signed Rootkit for TONESHELL Backdoor Deployment

Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoor

The Chinese threat actor Mustang Panda is deploying a new variant of its TONESHELL backdoor via a signed kernel-mode rootkit, targeting government organizations in Southeast Asia. Kaspersky identified the attack, which utilizes a driver signed with a stolen or leaked certificate, in mid-2025.

Why This Matters

Traditional security models rely on trust established through code signing, but this attack highlights the vulnerability when certificates are compromised or legitimately obtained ones are abused. The cost of a successful campaign targeting government infrastructure can be immense, ranging from data exfiltration and espionage to disruption of critical services, escalating geopolitical tensions.

Key Insights

• Stolen Certificate: The rootkit driver is signed with a certificate from Guangzhou Kingteller Technology Co., Ltd, valid from 2012-2015.
• Kernel-Mode Injection: This is the first observed instance of TONESHELL delivered through a kernel-mode loader, enhancing stealth.
• Altitude Manipulation: The rootkit alters the loading order of Microsoft Defender drivers to bypass security checks, demonstrating advanced anti-forensic techniques.

Working Example

(No code was present in the provided context)

Practical Applications

• Use Case: Mustang Panda utilizes this technique to establish long-term persistent access to targeted government networks in Asia.
• Pitfall: Reliance on digital signatures alone is insufficient; organizations must implement runtime behavior analysis and kernel-level monitoring to detect compromised drivers.

References:

• https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html