Mustang Panda’s 2025 Kernel Rootkit: How a Signed Driver Enabled Stealth Espionage in Asia
Executive Summary
In mid-2025, the Chinese cyber espionage group Mustang Panda deployed a previously undocumented, signed kernel-mode rootkit to secretly load a TONESHELL backdoor variant during targeted attacks against government organizations in Southeast and East Asia—mainly Myanmar and Thailand. Leveraging a stolen legacy digital certificate, the attackers installed a Windows minifilter driver to inject TONESHELL into system processes, evade security controls, and shield their malware and associated files from detection. The backdoor enabled ongoing remote control, data exfiltration, and further malware deployments via encrypted channels, establishing persistent clandestine access.
This incident is notable for its innovative use of signed kernel drivers to enhance stealth, resilience, and anti-forensic measures. It reflects a broader trend among sophisticated threat actors who increasingly leverage advanced rootkit technology and certificate abuse to bypass endpoint protections and remain undetected for extended periods.
Why This Matters Now
The use of signed, kernel-level malware marks an urgent escalation in attacker capabilities, circumventing traditional security mechanisms and posing severe cyber risk to government networks and enterprises. This raises critical concerns about supply chain vulnerabilities, certificate hygiene, and the need for advanced memory forensics and zero trust controls to detect and stop these stealthy campaigns.
Attack Path Analysis
The Mustang Panda threat group likely initially accessed the environment by leveraging prior compromised machines or supply chain weaknesses to deploy a malicious, signed kernel-mode rootkit. Once inside, the attackers escalated privileges via the rootkit driver, granting themselves deep system-level access and subverting native security controls. The attackers then achieved lateral movement within the environment by protecting and persisting their malicious payloads and processes, allowing access to additional hosts. TONESHELL backdoor established encrypted command and control channels to attacker-operated infrastructure, receiving and executing remote commands. This foothold enabled the exfiltration of files and data using covert, encrypted channels. Impact was limited to espionage-driven objectives, maintaining persistence, stealth, and facilitating further access to sensitive information.
Kill Chain Progression
Initial Compromise
Description
Attackers gained an initial foothold, likely leveraging prior access or supply chain compromise to introduce a signed malicious kernel-mode driver onto the target system.
Related CVEs
CVE-2025-XXXX
CVSS 9A kernel-mode rootkit driver signed with a stolen certificate allows attackers to inject the TONESHELL backdoor into system processes, enabling remote code execution and evasion of security tools.
Affected Products:
Microsoft Windows – All supported versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Create or Modify System Process: Windows Service
Exploitation for Privilege Escalation
Impair Defenses: Indicator Removal on Host
Kernel Modules and Extensions
Obfuscated Files or Information
Process Injection: Portable Executable Injection
Ingress Tool Transfer
Command and Scripting Interpreter: Windows Command Shell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Device Security and Hardening
Control ID: Device Pillar – Continuous Monitoring & Hardening
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Mustang Panda's kernel-mode rootkit targeting Southeast Asian governments creates critical espionage risks requiring enhanced zero trust segmentation and threat detection capabilities.
Financial Services
Digital certificate theft from ATM provider and sophisticated kernel-level attacks threaten financial infrastructure, demanding encrypted traffic protection and anomaly response systems.
Computer/Network Security
TONESHELL's ability to disable Microsoft Defender and bypass security tools exposes cybersecurity vendors to advanced persistent threats requiring multicloud visibility controls.
Defense/Space
Chinese APT group's kernel-mode injection techniques and Asia-Pacific targeting pose national security risks necessitating comprehensive egress security and threat intelligence integration.
Sources
- Mustang Panda Uses Signed Kernel-Mode Rootkit to Load TONESHELL Backdoorhttps://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.htmlVerified
- Chinese APT Mustang Panda Caught Using Kernel-Mode Rootkithttps://www.securityweek.com/chinese-apt-mustang-panda-caught-using-kernel-mode-rootkit/Verified
- Mustang Panda deploys ToneShell via signed kernel-mode rootkit driverhttps://securityaffairs.com/186318/security/mustang-panda-deploys-toneshell-via-signed-kernel-mode-rootkit-driver.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strict egress controls, inline threat detection, and east-west traffic security would have constrained attacker movement, detected rootkit injections, and prevented exfiltration, severely limiting Mustang Panda’s ability to persist and operate covertly.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Realtime inspection would have detected and flagged unauthorized driver deployment.
Control: Zero Trust Segmentation
Mitigation: Limits escalation scope by isolating workloads and enforcing least-privilege boundaries.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral movements between workloads or hosts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks and alerts on unauthorized outbound C2 connections and suspicious traffic patterns.
Control: Encrypted Traffic (HPE)
Mitigation: Ensures only sanctioned encrypted communications occur and enables visibility into data flows.
Enables rapid detection of persistence mechanisms, anomalous user-mode threads, and rootkit artifacts.
Impact at a Glance
Affected Business Functions
- Government Operations
- National Security
- Confidential Communications
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive government documents, classified information, and confidential communications due to the TONESHELL backdoor's capabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation to restrict workload access and contain rootkit deployments.
- • Enforce robust east-west traffic controls and anomaly detection to reveal covert lateral movement.
- • Implement strict egress policy enforcement and FQDN filtering to block C2 and exfiltration channels.
- • Monitor for unauthorized driver installations and privilege escalation attempts with continuous runtime security fabric.
- • Integrate workload and cloud-centric threat intelligence to rapidly detect advanced, stealthy persistence like kernel rootkits.
