Researchers identify new ToneShell backdoor targeting government agencies

• Mustang Panda deployed upgraded ToneShell backdoors against Asian government organizations
• New variant uses signed mini-filter driver, enabling rootkit-like stealth and Defender tampering
• Kaspersky advises memory forensics and IoCs to detect infections in compromised systems

Chinese state-sponsored threat actors, known as Mustang Panda, have been observed targeting government organizations of various Asian countries with an upgraded version of the ToneShell backdoor.

This is according to cybersecurity researchers Kaspersky, who recently analyzed a malicious file driver they found on computers belonging to government organizations in Myanmar, Thailand, and others.

The driver led to the discovery of ToneShell, a backdoor which grants attackers unabated access to compromised devices, through which they can upload and download files, create new documents, and more.