Mustang Panda APT Deploys Signed Kernel-Mode Rootkit to Hide Backdoor
Chinese-Linked APT Mustang Panda Uses Signed Kernel-Mode Rootkit to Stealthily Deploy TONESHELL Backdoor
Related Entities(initial)
Threat Actors
Organizations
Other
Full Report(when first published)
Executive Summary
The China-linked cyber-espionage group Mustang Panda (also known as HoneyMyte or Earth Preta) has incorporated a new, sophisticated tool into its arsenal: a kernel-mode rootkit used to stealthily load its TONESHELL backdoor. According to research from Kaspersky, the rootkit is a driver file named ProjectConfiguration.sys that has been signed with a valid, albeit leaked, digital certificate from a Chinese ATM provider. This allows it to load into the Windows kernel without raising alarms. Once active, the rootkit functions as a minifilter driver, giving it the power to hide the presence of the TONESHELL malware from security tools and investigators. This marks a significant evolution in the group's tradecraft, enabling deeper, more persistent, and harder-to-detect intrusions into target networks, primarily government entities in Southeast Asia.
Threat Overview
Mustang Panda is a well-known APT group with a history of targeting government, non-profit, and other strategic organizations, particularly in Asia. This latest campaign, observed in mid-2025, demonstrates a clear investment in enhancing their operational security and stealth.
- Threat Actor: Mustang Panda, a group linked to Chinese state interests.
- Targets: Government organizations in Southeast Asia, specifically Myanmar and Thailand.
- New Tool: A kernel-mode rootkit (
ProjectConfiguration.sys) that provides stealth and persistence. - Payload: The
TONESHELLbackdoor, a known malware used by the group for reverse shell and downloader capabilities.
Technical Analysis
The core of this new TTP is the use of a signed rootkit to achieve unparalleled stealth.
- Initial Access: The exact initial access vector is unconfirmed, but it is suspected that the attackers used previously compromised machines to deploy the new rootkit.
- Rootkit Deployment: The driver file
ProjectConfiguration.sysis dropped and loaded onto the system. It is signed with a leaked certificate from Guangzhou Kingteller Technology Co., Ltd., which allows it to bypass Windows driver signature enforcement. - Kernel-Mode Execution: The driver registers itself as a minifilter driver, operating in kernel mode (
T1014 - Rootkit). This gives it high-level privileges and the ability to intercept and modify system operations. - Defense Evasion: The rootkit's primary function is to hide malicious artifacts. It protects the
TONESHELLbackdoor's files, processes, and registry keys, making them invisible to user-mode applications like Task Manager, File Explorer, and most endpoint security products. - Payload Injection: The rootkit injects the
TONESHELLshellcode directly into the memory of a legitimate system process, such assvchost.exe(T1055 - Process Injection). This in-memory execution further evades disk-based scanning. - Command and Control: The
TONESHELLbackdoor then establishes a reverse shell to an attacker-controlled C2 server, allowing for remote access and the downloading of additional malware.
MITRE ATT&CK Techniques Observed
| Tactic | Technique ID | Name | Description |
|---|---|---|---|
| Defense Evasion, Persistence | T1014 |
Rootkit | A kernel-mode rootkit is used to hide malicious activities and maintain persistence. |
| Defense Evasion | T1574.006 |
Hijack Execution Flow: Dynamic-link Library Hijacking | The use of a signed driver to load malicious code into the kernel. (Note: This is a conceptual fit, T1014 is more precise). |
| Defense Evasion | T1055 |
Process Injection | TONESHELL shellcode is injected into the legitimate svchost.exe process. |
| Execution | T1059.003 |
Command and Scripting Interpreter: Windows Command Shell | TONESHELL provides a reverse shell for executing commands. |
| Command and Control | T1071.001 |
Application Layer Protocol: Web Protocols | TONESHELL likely uses standard protocols like HTTP/S for C2 communications. |
Impact Assessment
The use of a signed kernel-mode rootkit represents a significant escalation in Mustang Panda's capabilities. This technique makes detection extremely difficult, allowing the threat actor to maintain long-term, undetected access to highly sensitive government networks. This level of persistence enables deep espionage, exfiltration of state secrets, and the potential to use the compromised networks as a launchpad for future attacks. The abuse of a legitimate digital certificate also erodes trust in the code-signing ecosystem.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| file_name | ProjectConfiguration.sys |
The name of the malicious rootkit driver file. | Endpoint file system scanning. | high |
| certificate_subject | Guangzhou Kingteller Technology Co., Ltd. |
The subject of the leaked digital certificate used to sign the driver. | Driver signature verification tools, code signing logs. | high |
| process_name | svchost.exe |
Legitimate process making anomalous outbound network connections to unknown IPs. | EDR telemetry, NetFlow analysis. | medium |
Detection & Response
- Memory Analysis: Detecting this threat requires advanced techniques. Live memory analysis of compromised systems may reveal the injected
TONESHELLcode withinsvchost.exeor other processes. This aligns with D3FEND'sD3-DA: Dynamic Analysis. - Driver Monitoring: Use tools that can inspect loaded kernel drivers. Look for the presence of
ProjectConfiguration.sysor any drivers signed by Guangzhou Kingteller Technology Co., Ltd. that are not expected in your environment. - Certificate Revocation: Ensure systems are configured to check for certificate revocation. The leaked certificate should be added to an enterprise blocklist.
- Network Behavior Analysis: Even if the malware is hidden on the host, its C2 traffic may be detectable. Monitor for unusual, periodic connections from sensitive systems to external IP addresses. This is a form of D3FEND's
D3-NTA: Network Traffic Analysis.
Mitigation
- Application Control / Driver Control: Implement strict policies that prevent the loading of unauthorized or untrusted drivers. While this driver is signed, it can be blocklisted by its hash or signer. This is a form of D3FEND's
D3-DLIC: Driver Load Integrity Checking. - Hypervisor-Based Security: Consider solutions that leverage virtualization to monitor the operating system from a higher privilege level (the hypervisor). These tools can be more effective at detecting kernel-level manipulation.
- Reduce Privileges: Enforce the principle of least privilege. The initial deployment of the rootkit likely required administrative privileges. Limiting these privileges can prevent the attack from succeeding in the first place.
Timeline of Events
Article Updates
January 28, 2026
Mustang Panda (HoneyMyte) expands campaign with updated CoolClient backdoor, new browser data stealers, and continued use of kernel-mode rootkits targeting Asian governments.
Update Sources:
MITRE ATT&CK Mitigations
Execution Prevention
Use driver blocklisting to prevent the loading of drivers signed by the compromised certificate or with a known malicious hash.
Mapped D3FEND Techniques:
Antivirus/Antimalware
Use advanced endpoint protection that includes memory scanning to detect injected shellcode and other in-memory threats.
Boot Integrity
Enable Secure Boot to help ensure the integrity of the boot process and prevent loading of unauthorized kernel-level drivers.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To counter the threat of a signed rootkit like ProjectConfiguration.sys, organizations should implement strict driver load policies. While the driver is signed, the certificate from Guangzhou Kingteller Technology Co., Ltd. is now known to be compromised. Using application control solutions like Windows Defender Application Control (WDAC) or AppLocker, administrators can create rules to explicitly block any driver signed by this specific certificate or with the known hash of the malicious driver. This moves beyond simple signature validation to an intelligence-led blocklisting approach. This policy should be deployed across all endpoints, especially servers and systems holding sensitive data, to prevent the rootkit from ever being loaded into the kernel.
Detecting kernel-level threats requires capabilities beyond traditional file-based scanning. Security teams must employ tools that perform dynamic analysis of system memory. EDR solutions with memory scanning features or dedicated memory forensics tools can be used to hunt for anomalies. Specifically for this threat, analysts should look for evidence of process injection into svchost.exe. This includes examining the memory segments of svchost.exe instances for executable code that doesn't map to a known, legitimate DLL on disk. A mismatch between the in-memory code and the on-disk binary is a strong indicator of injection. This technique is resource-intensive but is one of the few effective ways to uncover threats that are actively hiding from the operating system itself.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats