Key Findings

• Mustang Panda (aka HoneyMyte, Camaro Dragon, RedDelta, Bronze President) used a signed kernel-mode rootkit driver to deploy its ToneShell backdoor in attacks targeting government entities in Southeast and East Asia, especially Myanmar and Thailand.

• The driver file, named "ProjectConfiguration.sys", is signed with a stolen or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd. (serial number 08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F).

• The malicious driver installs itself as a kernel mini-filter to protect the malicious components and inject the ToneShell backdoor into system processes.

• The driver uses techniques like dynamic API resolution and altitude tampering to hide its behavior and bypass security products like Microsoft Defender.

• The final payload, ToneShell, is a new variant of the backdoor linked exclusively to Mustang Panda. It enables remote access and command execution on compromised systems.

• This is the first time ToneShell has been observed delivered through a kernel-mode loader, providing a high level of protection from detection.

Background

Mustang Panda, also known as HoneyMyte, Camaro Dragon, RedDelta, or Bronze President, is a China-linked APT group that has been active since at least 2012. The group has targeted a wide range of entities, including government organizations, think tanks, NGOs, and even Catholic organizations in the Vatican.

In mid-2025, Kaspersky researchers discovered the malicious kernel driver on systems in Asia. The driver is signed with a stolen or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd., which was valid from August 2012 until 2015. Kaspersky believes other threat actors may have also used the same certificate to sign their malicious tools.

Malicious Kernel Driver

The driver file, named "ProjectConfiguration.sys", installs itself as a kernel mini-filter and contains two user-mode shellcodes that execute in separate threads. It uses techniques like dynamic API resolution and altitude tampering to hide its behavior and bypass security products.

The driver protects itself by blocking file deletion or renaming attempts and by safeguarding specific registry keys through registered callbacks, returning access-denied errors. It deliberately uses a high filter altitude to intercept operations before antivirus drivers and even disables Microsoft Defender's WdFilter.

ToneShell Backdoor Deployment

The final payload deployed by the malicious driver is a new variant of the ToneShell backdoor, which enables remote access and command execution on infected systems. Unlike earlier variants that used GUIDs, this version creates or validates a host ID via a marker file.

ToneShell communicates with C2 servers over raw TCP on port 443, masking traffic with fake TLS 1.3 headers and encrypted payloads. It supports file transfer, remote shell access, session control, and command execution, giving the attackers full remote control of the compromised systems.

Conclusion

Kaspersky researchers assess with high confidence that the activity described in this report is linked to the HoneyMyte threat actor, based on the use of the ToneShell backdoor and the presence of additional tools long associated with the group, such as PlugX and the ToneDisk USB worm.

The use of a signed kernel-mode rootkit driver to deploy the ToneShell backdoor represents a new and sophisticated approach by Mustang Panda, providing a high level of protection from detection and enabling the group to maintain persistence on compromised systems.

Sources

• https://securityaffairs.com/186318/security/mustang-panda-deploys-toneshell-via-signed-kernel-mode-rootkit-driver.html

• https://hackread.com/honeymyte-mustang-panda-toneshell-backdoor/

• https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html

• https://www.securityweek.com/chinese-apt-mustang-panda-caught-using-kernel-mode-rootkit/amp/