Mustang Panda Deploys Undocumented Kernel-Mode Rootkit in Targeted Cyber Espionage Campaign
In mid-2025, the Chinese state-linked hacking group Mustang Panda deployed a previously undocumented kernel-mode rootkit driver to distribute a new variant of the TONESHELL backdoor, targeting an entity in Asia. The discovery, detailed by Kaspersky’s cybersecurity researchers, reveals a significant escalation in the group’s cyber espionage capabilities.
The attack leveraged the kernel-mode rootkit to establish deep system persistence, operating at a privileged level that evades standard detection methods. By embedding itself within the system’s kernel, the rootkit effectively concealed the TONESHELL backdoor, which enabled remote access, arbitrary command execution, and the exfiltration of sensitive data—all while minimizing early detection risks.
Kaspersky’s analysis underscores the sophistication of Mustang Panda’s tactics, particularly the rootkit’s ability to obfuscate malicious activity and complicate defensive responses. The TONESHELL variant further amplifies the threat by providing attackers with a stealthy communication channel for sustained infiltration.
This campaign highlights the growing challenge of kernel-level threats, as adversaries increasingly exploit low-level system access to bypass traditional security measures. The incident serves as a critical case study in the evolution of advanced persistent threats (APTs), emphasizing the need for enhanced detection and mitigation strategies at the kernel layer.
Kaspersky cybersecurity rating report: https://www.rankiteo.com/company/kaspersky
"id": "KAS1767173698",
"linkid": "kaspersky",
"type": "Vulnerability",
"date": "6/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'location': 'Asia'}],
'attack_vector': 'Kernel-mode rootkit driver',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data'},
'date_detected': '2025-06-01',
'description': 'The Chinese hacking group Mustang Panda employed a previously '
'undocumented kernel-mode rootkit driver to propagate a new '
'variant of the TONESHELL backdoor, targeting an entity in '
'Asia during mid-2025. The attack leveraged the rootkit to '
'establish persistence and evade detection while enabling '
'remote access and data exfiltration via the TONESHELL '
'backdoor.',
'impact': {'data_compromised': 'Sensitive data'},
'initial_access_broker': {'backdoors_established': 'TONESHELL backdoor'},
'investigation_status': 'Investigation completed by Kaspersky',
'lessons_learned': 'The attack highlights the need for enhanced kernel-level '
'security protocols, advanced detection mechanisms, and '
'comprehensive threat intelligence sharing to mitigate '
'similar advanced threats.',
'motivation': 'Cyber Espionage',
'post_incident_analysis': {'root_causes': 'Use of undocumented kernel-mode '
'rootkit driver to evade detection '
'and establish persistence.'},
'recommendations': ['Deploy enhanced kernel security solutions capable of '
'recognizing and neutralizing novel rootkit drivers.',
'Facilitate broad cyber threat intelligence exchanges '
'within the cybersecurity community.',
'Invest in advanced detection and response technologies '
'to anticipate and counteract emerging cyber threats.'],
'references': [{'source': 'Kaspersky'}],
'response': {'third_party_assistance': 'Kaspersky'},
'threat_actor': 'Mustang Panda',
'title': "Mustang Panda's Kernel-Mode Rootkit and TONESHELL Backdoor Attack",
'type': 'Cyber Espionage'}