The hacking group Mustang Panda has recently updated its cyber espionage toolkit with a sophisticated kernel-mode rootkit driver designed to protect its malware from detection. This driver, identified as ProjectConfiguration.sys, was discovered during an attack on an entity in Asia during the middle of 2025. It serves as a protective layer for a backdoor known as TONESHELL, which allows attackers to remotely control infected systems and download additional malicious payloads. Security researchers from Kaspersky noted that this campaign primarily targets government organizations in Southeast and East Asian countries, specifically Myanmar and Thailand.

To bypass modern security defenses, the malicious driver utilizes an expired digital certificate originally issued to a Chinese ATM manufacturer. By signing the driver with a legitimate, though likely stolen, certificate, the attackers increase the chances of the malware being trusted by the operating system. Once active, the driver registers itself as a minifilter, a specialized type of driver that can intercept and control file system operations. This allows the rootkit to hide its own files and prevent users or security tools from deleting, renaming, or modifying the registry keys associated with the infection.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

One of the most advanced features of this rootkit is its ability to manipulate the loading order of system drivers. It assigns itself a specific altitude in the file system stack that is higher than standard antivirus software. By doing so, it intercepts file operations before security products like Microsoft Defender can even see them. Furthermore, the malware actively interferes with Microsoft Defender by resetting its driver altitude to zero, effectively neutralizing the antivirus and preventing it from loading into the communication stack where it would normally monitor for threats.

The ultimate goal of this deployment is the execution of the TONESHELL implant. This backdoor has been part of the Mustang Panda arsenal since late 2022 and provides the group with reverse shell capabilities, enabling them to execute commands on the victim’s machine. Recent observations show that the group has also used USB-based worms to spread their infections, suggesting a diverse range of delivery methods. While the infrastructure for this specific campaign was set up in late 2024, active operations appeared to begin in early 2025, likely utilizing previously compromised machines to distribute the rootkit.

This development highlights the evolving technical proficiency of state-sponsored threat actors in bypassing modern operating system protections. By moving their operations into the kernel mode, Mustang Panda can maintain a persistent presence on high-value networks while remaining invisible to standard endpoint protection tools. The use of the rootkit to shield user-mode processes ensures that even if the TONESHELL backdoor is detected in memory, the underlying system may still be unable to terminate or remove the threat due to the protections enforced by the malicious driver.

Source: Mustang Panda Uses Signed Kernel Mode Rootkit To Load Toneshell Backdoor