Mustang Panda has developed a new kernel-mode rootkit driver to deliver the TONESHELL backdoor targeting Asian government entities. This sophisticated malware uses advanced stealth techniques, including driver signing with stolen certificates and hooking into system processes. #MustangPanda #TONESHELL
Keypoints
- The malware leverages a signed kernel driver to inject a backdoor into system processes.
- TONESHELL has reverse shell and downloader capabilities, allowing command execution and malware deployment.
- The driver employs anti-detection techniques, such as monitoring file and registry activity and intercepting security drivers.
- The C2 infrastructure for TONESHELL was established in September 2024, with attacks beginning in early 2025.
- Memory forensics are critical for detecting TONESHELL, which executes entirely in memory to evade security tools.
Read More: https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html