Mustang Panda Deploys Signed Kernel-Mode Rootkit to Deliver New TONESHELL Backdoor

In mid-2025, security researchers uncovered a sophisticated cyber espionage operation attributed to the Chinese threat actor known as Mustang Panda. The group used a previously undocumented signed kernel-mode rootkit driver to stealthily deploy a new variant of its TONESHELL backdoor against an organization in Asia. This incident highlights the growing risks posed by advanced persistent threats (APTs) that abuse trusted components in modern operating systems.

For business leaders and technical teams, this campaign is a reminder that traditional endpoint protections are no longer enough. Attackers are increasingly moving deeper into the operating system to evade detection, requiring organizations to rethink how they monitor, secure, and respond to threats at the kernel level.

Key Takeaways

• Mustang Panda is using a signed kernel-mode rootkit driver to bypass traditional security controls and deploy a new TONESHELL backdoor variant.
• The campaign demonstrates how attackers exploit legitimate signing mechanisms to gain trust and persistence in Windows environments.
• Organizations in Asia were specifically targeted, but the techniques used can be repurposed globally against governments, enterprises, and NGOs.
• Defenses must extend beyond basic antivirus to include kernel-level monitoring, strict driver policies, and advanced threat detection capabilities.

Who Is Mustang Panda?

Mustang Panda, also known as RedDelta or TA416, is a China-linked advanced persistent threat (APT) group with a long track record of cyber espionage. The group frequently targets government agencies, diplomatic organizations, think tanks, and NGOs across Asia, Europe, and other regions.

Their operations typically rely on:

• Spear-phishing emails with weaponized attachments or links
• Custom malware families designed for long-term espionage
• Modular backdoors that can be updated and extended over time

What makes this latest campaign notable is Mustang Panda’s move into the kernel space, indicating an escalation in their technical sophistication and their willingness to bypass security baselines that many organizations consider sufficient.

What Happened in the 2025 Campaign?

Discovery of a New Rootkit Driver

Security researchers observed a mid-2025 attack targeting an unspecified organization in Asia. During analysis, they identified a previously undocumented kernel-mode driver operating as a rootkit. This driver was digitally signed, allowing it to appear legitimate to Windows and many endpoint security solutions.

Because the driver operated in kernel mode, it had high privileges and could:

• Hide malicious processes or files
• Intercept and manipulate system calls
• Assist in silently loading other malware components

By moving into the kernel layer, attackers gain powerful tools to evade detection, manipulate the operating system, and persist even through security product updates or reconfigurations.

Delivery of the TONESHELL Backdoor

The rootkit’s primary purpose in this campaign was to load a new variant of the TONESHELL backdoor. TONESHELL is a modular, remote access tool that gives attackers ongoing control of a compromised machine.

Once deployed, the new TONESHELL variant can typically:

• Communicate with a remote command-and-control (C2) server
• Execute commands issued by the attacker
• Download and run additional payloads
• Exfiltrate sensitive data from the target environment

Why a Signed Kernel-Mode Rootkit Is So Dangerous

Abuse of Trust in Digital Signatures

Modern versions of Windows enforce stricter rules for kernel-mode drivers. In many environments, only digitally signed drivers are allowed to load, and this is often seen as a strong security measure.

However, attackers increasingly:

• Obtain valid code-signing certificates (legitimately or via compromise)
• Abuse stolen certificates from legitimate vendors
• Exploit weaknesses in the driver signing or validation process

A driver that appears validly signed can slip past both the operating system’s protections and some endpoint security solutions, especially if their focus is on user-mode malware.

Stealth and Persistence at the Kernel Layer

Kernel-mode rootkits are difficult to detect because they operate at the same privilege level as the operating system itself. They can:

• Conceal processes, files, and registry keys from security tools
• Alter logs or monitoring data to hide malicious activity
• Maintain long-term persistence, even as user-mode malware components are updated or replaced

For businesses, this means that a successful kernel-level compromise can remain undetected for extended periods, enabling sustained data theft and surveillance.

Understanding the TONESHELL Backdoor

Capabilities of the New Variant

The TONESHELL backdoor observed in this campaign appears to be an evolution of Mustang Panda’s existing toolset. While exact implementation details can vary, common features include:

• Command execution: Running arbitrary commands on the infected host
• File operations: Uploading and downloading files, modifying directories
• Configuration updates: Changing C2 servers or communication parameters
• Data exfiltration: Stealthily transmitting collected information

By using the rootkit to deploy and protect TONESHELL, Mustang Panda significantly reduces the chance that the backdoor will be removed or even noticed, particularly in environments with limited security monitoring.

Potential Impact on Target Organizations

For the unnamed Asian entity targeted in this attack, a successful TONESHELL deployment could mean:

• Exposure of confidential documents and communications
• Long-term surveillance of internal systems and users
• Compromise of strategic plans, negotiations, or intellectual property
• Use of their infrastructure as a springboard for further attacks

These risks extend beyond the initial victim. Partners, suppliers, and customers can all be impacted if compromised systems are used as part of a larger espionage or intrusion campaign.

Lessons for Businesses and Technical Teams

Move Beyond Traditional Endpoint Security

Conventional antivirus and endpoint security products are primarily designed to detect user-mode threats. While still necessary, they are no longer sufficient on their own against APT groups that leverage signed drivers and kernel-level rootkits.

Organizations should consider:

• Endpoint Detection and Response (EDR) tools that monitor behavior, not just signatures
• Kernel-level telemetry and logging to detect anomalous driver behavior
• Strict policies for loading third-party drivers and enforcing allowlists where possible

Harden Driver and Certificate Management

IT and security teams must pay closer attention to how drivers and certificates are managed within the organization. Key practices include:

• Regularly auditing installed drivers to identify unknown or suspicious entries
• Disabling or limiting legacy features that allow unsigned or less strictly validated drivers
• Monitoring certificate use, especially in build pipelines and software signing processes

By treating driver integrity as a core security concern, businesses can reduce the attack surface exploited by campaigns like this one.

Practical Steps to Mitigate Similar Threats

For Security Teams and Developers

Technical teams can implement several measures to reduce the risk and impact of advanced rootkit-based attacks:

• Implement principle of least privilege: Limit administrative rights so that installing drivers requires deliberate approval and logging.
• Use secure build and signing pipelines: Protect signing keys, enforce multi-factor authentication, and monitor for unusual signing activity.
• Instrument logging and SIEM: Ingest detailed endpoint, driver, and kernel event logs into a centralized system for correlation and analysis.
• Test detection capabilities: Use red teaming or adversary emulation to evaluate whether your environment can detect and respond to driver misuse.

For Business Leaders

Executives and decision-makers should view this type of threat as a strategic risk, not a purely technical issue. Recommended actions include:

• Ensuring cybersecurity investments cover advanced detection and response, not just basic antivirus
• Including supply chain and partner security in risk assessments
• Supporting incident response planning that assumes potential kernel-level compromises

By aligning security priorities with the evolving threat landscape, organizations can better protect sensitive assets from state-linked actors and other advanced adversaries.

Conclusion

The discovery of Mustang Panda’s use of a signed kernel-mode rootkit driver to deliver a new TONESHELL backdoor variant underscores how rapidly attacker tactics are evolving. By operating at the kernel level and abusing trusted signing mechanisms, threat actors can bypass many of the controls that organizations rely on for protection.

For businesses, government agencies, and NGOs, this incident serves as a call to strengthen defenses at every layer of the stack—from driver policies and certificate management to advanced monitoring and incident response. As attackers continue to refine their techniques, organizations must respond with equally mature and proactive security strategies.