Researchers identify new ToneShell backdoor targeting government agencies

News
By published

Chinese attackers are allegedly spying on their neighbors

Proactive Cybersecurity Service That Neutralizes Threats Within a Digital Network - Conceptual Illustration
(Image credit: Shutterstock)
  • Mustang Panda deployed upgraded ToneShell backdoors against Asian government organizations
  • New variant uses signed mini-filter driver, enabling rootkit-like stealth and Defender tampering
  • Kaspersky advises memory forensics and IoCs to detect infections in compromised systems

Chinese state-sponsored threat actors, known as Mustang Panda, have been observed targeting government organizations of various Asian countries with an upgraded version of the ToneShell backdoor.

This is according to cybersecurity researchers Kaspersky, who recently analyzed a malicious file driver they found on computers belonging to government organizations in Myanmar, Thailand, and others.

The driver led to the discovery of ToneShell, a backdoor which grants attackers unabated access to compromised devices, through which they can upload and download files, create new documents, and more.

Mini-filters and kernel-mode drivers

The new variant came with improvements, Kaspersky added, including establishing a remote shell via a pipe, terminating shell, cancelling uploads, closing connections, creating temporary files for incoming data, and more.

ToneShell is generally used for cyber-espionage campaigns. Victim computers were apparently also infected with other malware, as well, including PlugX, and the ToneDisk USB worm. The campaign likely started in February 2025, researchers speculate.

But what makes this campaign really stand out is the use of a mini-filter driver that was signed with either a stolen, or leaked certificate.

"This is the first time we’ve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools," Kaspersky said.

Mini-filters are kernel-mode drivers that sit inside the Windows file system stack and intercept file system operations in real time. They let software see, block, modify, or log file activity before it reaches the disk, and are part of Microsoft’s File System Filter Manager framework.

Among other things, they let the attackers tamper with Microsoft Defender, making sure it doesn’t get loaded into the I/O stack.

To defend against the new attacks, the researchers advise memory forensics as the number one way of spotting ToneShell infections. They also shared a list of indicators of compromise (IoC) which can be used to determine if a system was attacked or not.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.