A new ToneShell backdoor variant, delivered via a kernel-mode loader, has been linked to Chinese cyberespionage activities by Mustang Panda. This sophisticated malware employs rootkit techniques to evade detection and target government organizations in Asia. #ToneShell #MustangPanda
Keypoints
- The new ToneShell backdoor is delivered through a kernel-mode loader with rootkit capabilities.
- Mustang Panda, also known as HoneyMyte or Bronze President, is associated with the campaign targeting Asian government agencies.
- The malware uses a stolen digital certificate from Guangzhou Kingteller Technology Co., Ltd. to sign its driver.
- It intercepts and blocks file-system operations and interferes with Microsoft Defender to maintain persistence.
- Kaspersky highlights the importance of memory forensics to detect these stealthy infections and provides IoCs for mitigation.