1. Forum
  2. FidoNet
  3. CONSPRCY

  • Researchers identify new

    From Mike Powell@1:2320/105 to All on Wednesday, December 31, 2025 09:25:01
    Researchers identify new ToneShell backdoor targeting government agencies

    Date:
    Tue, 30 Dec 2025 17:15:00 +0000

    Description:
    Chinese attackers are allegedly spying on their neighbors with sophisticated backdoors.

    FULL STORY

    Chinese state-sponsored threat actors, known as Mustang Panda, have been observed targeting government organizations of various Asian countries with
    an upgraded version of the ToneShell backdoor.

    This is according to cybersecurity researchers Kaspersky, who recently
    analyzed a malicious file driver they found on computers belonging to government organizations in Myanmar, Thailand, and others.

    The driver led to the discovery of ToneShell, a backdoor which grants
    attackers unabated access to compromised devices, through which they can
    upload and download files, create new documents, and more.

    Mini-filters and kernel-mode drivers

    The new variant came with improvements, Kaspersky added, including
    establishing a remote shell via a pipe, terminating shell, cancelling
    uploads, closing connections, creating temporary files for incoming data, and more.

    ToneShell is generally used for cyber-espionage campaigns. Victim computers were apparently also infected with other malware , as well, including PlugX, and the ToneDisk USB worm. The campaign likely started in February 2025, researchers speculate.

    But what makes this campaign really stand out is the use of a mini-filter driver that was signed with either a stolen, or leaked certificate.

    "This is the first time weve seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from
    the rootkit capabilities of the driver that hides its activity from security tools," Kaspersky said.

    Mini-filters are kernel-mode drivers that sit inside the Windows file system stack and intercept file system operations in real time. They let software
    see, block, modify, or log file activity before it reaches the disk, and are part of Microsofts File System Filter Manager framework.

    Among other things, they let the attackers tamper with Microsoft Defender, making sure it doesnt get loaded into the I/O stack.

    To defend against the new attacks, the researchers advise memory forensics as the number one way of spotting ToneShell infections. They also shared a list
    of indicators of compromise (IoC) which can be used to determine if a system was attacked or not.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/researchers-identify-new-toneshell-back door-targeting-government-agencies

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/105)