The Kernel Ghost: Mustang Panda’s New Rootkit Blinds Antivirus to Deploy ToneShell
Cyber-espionage attributed to the Chinese group HoneyMyte—also known as Mustang Panda and Bronze President—has reached a new level. Researchers have observed the deployment of an advanced version of the ToneShell malware, concealed by a kernel-level rootkit. This technique enables the covert delivery of malicious code while significantly complicating detection on compromised systems.
According to data gathered by Kaspersky Lab, the attacks targeted government institutions across several Asian countries, including Myanmar and Thailand. Analysis of the malicious driver ProjectConfiguration.sys indicates that the activity has been ongoing since at least February 2025. Investigators determined that the affected systems had previously been infected with other malware linked to Chinese espionage campaigns, including earlier variants of ToneShell, the ToneDisk worm, and the PlugX backdoor.
This iteration employs a kernel-mode minifilter driver, signed with a stolen or leaked certificate issued between 2012 and 2015 by a Chinese company based in Guangzhou. The driver integrates into the Windows I/O stack, allowing it to intercept file system operations. As a result, it can prevent its own removal or renaming and block access attempts to registry keys associated with its service. By operating at a higher minifilter altitude, it gains priority over antivirus products, further weakening defensive controls.
A wide range of techniques is used to shield the malicious activity. The list of process identifiers targeted for code injection is itself protected: any attempt to access it is denied, and protections are lifted only after the malicious components complete their tasks. In addition, the driver interferes with Microsoft Defender, preventing the corresponding filtering module from being loaded into the file system stack.
Particular attention has been drawn to the infection mechanism. The driver’s code embeds two user-mode shellcodes that execute as separate threads injected into processes. To evade analysis, the malware avoids direct API loading, instead resolving functions by enumerating loaded modules and matching hash values.
The updated ToneShell variant introduces multiple enhancements designed to increase stealth. It abandons the previous GUID-based victim identification scheme in favor of a compact 4-byte identifier. Network traffic is now obfuscated using spoofed TLS headers, making interception and analysis more difficult. Additional remote-control capabilities have been added, including file upload and download, a remote shell over a custom channel, command execution, and controlled termination of connections.
Kaspersky Lab emphasizes that this marks the first documented use of kernel mode to deliver ToneShell, substantially raising the bar for detection and enabling the malware to evade security solutions more effectively. The report’s authors express confidence that Mustang Panda is behind the campaign, noting a clear evolution in the group’s tactics and tooling that underscores a high degree of persistence and operational stealth.
The report also includes key indicators of compromise that organizations can use to detect and mitigate intrusions associated with this malicious activity.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
