The Chinese espionage-focused APT Mustang Panda has been using a kernel-mode rootkit in recent attacks against Asian targets, Kaspersky reports.
Also known as Basin, Bronze President, Earth Preta, and Red Delta, and tracked by Kaspersky as HoneyMyte, Mustang Panda mainly targets government and military entities in East Asia and Europe.
In early 2025, US and French authorities attempted to clean thousands of computers that the APT had infected with the PlugX RAT.
In April, cybersecurity firm Zscaler detailed Mustang Panda’s use of an updated ToneShell backdoor, along with several new tools, including an EDR evasion driver.
Now, Kaspersky says that, in mid-2025, the espionage group was seen using a signed driver file that registers as a mini-filter driver to deploy the ToneShell backdoor against an Asian target.
The driver contains two user-mode shellcodes that are executed as separate threads and are designed to protect the driver’s module and the user-mode process that the backdoor is injected into.
“To obfuscate the actual behavior of the driver module, the attackers used dynamic resolution of the required API addresses from hash values,” Kaspersky explains.
To protect itself, the driver registers with the Filter Manager and sets up a pre-operation callback to check all operations targeting itself. If any is detected, it sets a flag to deny the operation, thus preventing security tools from removing or quarantining it.
Additionally, the driver builds a list of registry paths and parameter names, then assigns itself an altitude value, and monitors registry operations to block those targeting keys in its protected list.
The chosen altitude, Kaspersky explains, exceeds the range designated by Microsoft for the FSFilter Anti-Virus Load Order Group.
“Since filters with lower altitudes sit deeper in the I/O stack, the malicious driver intercepts file operations before legitimate low-altitude filters like antivirus components, allowing it to circumvent security checks,” the cybersecurity firm explains.
The driver uses a similar routine to intercept and block operations targeting the user-mode processes in which the backdoor has been injected. However, it removes the protection for processes after the backdoor has performed its activities.
Kaspersky observed the backdoor delivering two user-mode payloads. The first spawns a svchost process and injects delay-inducing shellcode into it, while the second is the ToneShell backdoor that is injected into the spawned svchost process.
“This is the first time we’ve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools,” Kaspersky notes.
Related: Chinese APT ‘LongNosedGoblin’ Targeting Asian Governments
Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery
Related: UK Sanctions Russian and Chinese Firms Suspected of Being ‘Malign Actors’ in Information Warfare
Related: US Organizations Warned of Chinese Malware Used for Long-Term Persistence
