Overview
- Kaspersky reports a kernel‑mode mini‑filter driver named ProjectConfiguration.sys delivered the backdoor, marking the first observed use of a kernel loader for ToneShell.
- The driver is signed with a likely stolen or leaked certificate issued to Guangzhou Kingteller Technology Co., Ltd., valid between 2012 and 2015.
- Activity has been observed since at least February 2025 in campaigns against government entities in Myanmar, Thailand, and other Asian countries, attributed with high confidence to Mustang Panda.
- Rootkit functions include runtime kernel API resolution, interception of file‑delete and rename operations, protection of service registry keys, selection of a high mini‑filter altitude, and interference with Microsoft Defender’s WdFilter.
- The loader injects two user‑mode shellcodes into processes (including svchost.exe) and shields them by denying handle access, while the updated ToneShell uses fake TLS headers, a new 4‑byte host ID, defined file and shell commands, and requires memory forensics and published IoCs for detection.