TZUTC: -0500
MSGID: 1900.consprcy@1:2320/105 2dba6fa9
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Researchers identify new ToneShell backdoor targeting government agencies

Date:
Tue, 30 Dec 2025 17:15:00 +0000

Description:
Chinese attackers are allegedly spying on their neighbors with sophisticated
backdoors.

FULL STORY

Chinese state-sponsored threat actors, known as Mustang Panda, have been
observed targeting government organizations of various Asian countries with 
an upgraded version of the ToneShell backdoor. 

This is according to cybersecurity researchers Kaspersky, who recently
analyzed a malicious file driver they found on computers belonging to
government organizations in Myanmar, Thailand, and others. 

The driver led to the discovery of ToneShell, a backdoor which grants
attackers unabated access to compromised devices, through which they can
upload and download files, create new documents, and more.

Mini-filters and kernel-mode drivers

The new variant came with improvements, Kaspersky added, including
establishing a remote shell via a pipe, terminating shell, cancelling 
uploads, closing connections, creating temporary files for incoming data, and
more. 

ToneShell is generally used for cyber-espionage campaigns. Victim computers
were apparently also infected with other malware , as well, including PlugX,
and the ToneDisk USB worm. The campaign likely started in February 2025,
researchers speculate. 

But what makes this campaign really stand out is the use of a mini-filter
driver that was signed with either a stolen, or leaked certificate. 

"This is the first time weve seen ToneShell delivered through a kernel-mode
loader, giving it protection from user-mode monitoring and benefiting from 
the rootkit capabilities of the driver that hides its activity from security
tools," Kaspersky said. 

Mini-filters are kernel-mode drivers that sit inside the Windows file system
stack and intercept file system operations in real time. They let software
see, block, modify, or log file activity before it reaches the disk, and are
part of Microsofts File System Filter Manager framework. 

Among other things, they let the attackers tamper with Microsoft Defender,
making sure it doesnt get loaded into the I/O stack. 

To defend against the new attacks, the researchers advise memory forensics as
the number one way of spotting ToneShell infections. They also shared a list
of indicators of compromise (IoC) which can be used to determine if a system
was attacked or not. 

 Via BleepingComputer 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/researchers-identify-new-toneshell-back
door-targeting-government-agencies

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426