1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Researchers identify new ToneShell backdoor targeting government

    From TechnologyDaily@1337:1/100 to All on Tue Dec 30 17:30:08 2025
    Researchers identify new ToneShell backdoor targeting government agencies

    Date:
    Tue, 30 Dec 2025 17:15:00 +0000

    Description:
    Chinese attackers are allegedly spying on their neighbors with sophisticated backdoors.

    FULL STORY ======================================================================Mustang Panda deployed upgraded ToneShell backdoors against Asian government organizations New variant uses signed mini-filter driver, enabling rootkit-like stealth and Defender tampering Kaspersky advises memory
    forensics and IoCs to detect infections in compromised systems

    Chinese state-sponsored threat actors, known as Mustang Panda, have been observed targeting government organizations of various Asian countries with
    an upgraded version of the ToneShell backdoor.

    This is according to cybersecurity researchers Kaspersky, who recently analyzed a malicious file driver they found on computers belonging to government organizations in Myanmar, Thailand, and others.

    The driver led to the discovery of ToneShell, a backdoor which grants attackers unabated access to compromised devices, through which they can upload and download files, create new documents, and more. Mini-filters and kernel-mode drivers

    The new variant came with improvements, Kaspersky added, including establishing a remote shell via a pipe, terminating shell, cancelling
    uploads, closing connections, creating temporary files for incoming data, and more.

    ToneShell is generally used for cyber-espionage campaigns. Victim computers were apparently also infected with other malware , as well, including PlugX, and the ToneDisk USB worm. The campaign likely started in February 2025, researchers speculate.

    But what makes this campaign really stand out is the use of a mini-filter driver that was signed with either a stolen, or leaked certificate.

    "This is the first time weve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from
    the rootkit capabilities of the driver that hides its activity from security tools," Kaspersky said.

    Mini-filters are kernel-mode drivers that sit inside the Windows file system stack and intercept file system operations in real time. They let software see, block, modify, or log file activity before it reaches the disk, and are part of Microsofts File System Filter Manager framework.

    Among other things, they let the attackers tamper with Microsoft Defender, making sure it doesnt get loaded into the I/O stack.

    To defend against the new attacks, the researchers advise memory forensics as the number one way of spotting ToneShell infections. They also shared a list of indicators of compromise (IoC) which can be used to determine if a system was attacked or not.

    Via BleepingComputer

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.







    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/researchers-identify-new-toneshell-back door-targeting-government-agencies


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)