Overview
- Researchers attribute the activity to Mustang Panda targeting government entities in Southeast and East Asia, with operations observed since at least February 2025 and detections in mid‑2025 centered on Myanmar and Thailand.
- The loader, ProjectConfiguration.sys, is signed with an old Guangzhou Kingteller digital certificate valid from 2012 to 2015 that Kaspersky assesses was likely stolen or leaked.
- The rootkit registers at a high minifilter altitude, blocks delete and rename actions, protects related registry keys and processes, and tampers with WdFilter’s load order to keep Microsoft Defender out of the I/O stack.
- Embedded shellcodes spawn an svchost.exe process and inject a new ToneShell variant that uses fake TLS headers and a 4‑byte host ID, supports remote shell and file transfers, and contacts C2 over TCP 443 at avocadomechanism.com and potherbreference.com.
- Kaspersky released indicators of compromise and recommends memory-based detection because the payload runs in RAM, while the initial access vector remains unconfirmed with suspected use of previously compromised hosts.