Broke into the soul (or rather, the kernel). Why your antivirus can't see the new Chinese spy
The trail leads to the Mustang Panda group, which has radically updated its cyber arsenal.
The trail leads to the Mustang Panda group, which has radically updated its cyber arsenal.
Cyber espionage involving the Chinese group HoneyMyte (also known as Mustang Panda and Bronze President) has reached a new level—experts have recorded the use of an enhanced version of the ToneShell malware, disguised using a kernel-mode rootkit. This technique enabled covert delivery of malicious code and complicated the detection of activity on infected devices.
According to data collected by Kaspersky Lab, the attacks targeted government institutions in Asian countries, including Myanmar and Thailand. Analysis of the malicious driver ProjectConfiguration.sys showed that the activity has been ongoing since at least February 2025. It was determined that the targeted systems had previously been infected with other malware linked to Chinese espionage campaigns—earlier versions of ToneShell, the ToneDisk worm, and the PlugX malware.
This time, a minifilter driver operating in kernel mode is being used. It is signed with a stolen or leaked certificate issued between 2012 and 2015 to a Chinese company from Guangzhou. Such a driver embeds itself into the Windows I/O stack and allows the interception of file system operations. This enables it to prevent its own deletion or renaming and block attempts to access registry keys associated with its service. The elevated priority compared to antivirus products is achieved by choosing a higher minifilter altitude.
A variety of techniques are used to protect the malicious activity. For instance, the list of process IDs into which the malicious code is injected is protected: attempts to access them are rejected. The protection is lifted after the malicious components finish their work. Additionally, the driver interferes with Microsoft Defender, preventing the corresponding filtering module from loading into the file system stack.
Of particular interest is how the malicious components are injected. The driver code contains two custom shellcodes, executed as separate threads injected into processes. To evade analysis, the malware does not load functions directly but instead gains access to them by enumerating loaded modules and matching hashes.
The updated version of ToneShell includes a number of modifications aimed at increasing stealth. It abandons the previous victim identification scheme using a GUID and switches to a short 4-byte identifier. Network traffic is now masked using fake TLS headers, complicating the interception and analysis of data transmission. Remote management functions have also been added: uploading and downloading files, remote shell via a pipe, command execution, and connection termination.
The Kaspersky Lab team emphasizes that this is the first recorded use of kernel mode for delivering ToneShell, which complicates detection and allows it to evade security solutions. The report's authors are confident that the Mustang Panda group is behind the attack. In their assessment, the attackers have significantly evolved their methods and tools, ensuring resilience and a high degree of stealth.
The report contains key indicators of compromise that can be used to detect and prevent intrusions related to this malicious activity.
