A recently discovered sample of the ToneShell backdoor, commonly linked to Chinese cyber-espionage efforts, has been deployed via a kernel-mode loader targeting government entities.
This backdoor has been connected to the Mustang Panda group (also referred to as HoneyMyte or Bronze President), which primarily focuses on government sectors, NGOs, think tanks, and various other prominent organizations globally.
Researchers at Kaspersky have analyzed a malicious driver found in Asian computer systems, revealing its use against governmental organizations in Myanmar, Thailand, and other countries since at least February 2025.
Kernel-Mode Rootkit Deployment
Kaspersky reports that the ToneShell backdoor was delivered through a mini-filter driver named ProjectConfiguration.sys, which was signed with a stolen or leaked certificate issued to Guangzhou Kingteller Technology Co., Ltd. and valid from 2012 to 2015.
Mini-filters operate as kernel-mode drivers that integrate with Windows file-system I/O to monitor, alter, or block file operations. They are typically utilized by security software, encryption tools, and backup applications Chinese Conceal Deploy Hackers Malware Operations Rootkit State ToneShell
