TZUTC: -0500   
   MSGID: 1900.consprcy@1:2320/105 2dba6fa9   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Researchers identify new ToneShell backdoor targeting government agencies   
      
   Date:   
   Tue, 30 Dec 2025 17:15:00 +0000   
      
   Description:   
   Chinese attackers are allegedly spying on their neighbors with sophisticated   
   backdoors.   
      
   FULL STORY   
      
   Chinese state-sponsored threat actors, known as Mustang Panda, have been   
   observed targeting government organizations of various Asian countries with    
   an upgraded version of the ToneShell backdoor.    
      
   This is according to cybersecurity researchers Kaspersky, who recently   
   analyzed a malicious file driver they found on computers belonging to   
   government organizations in Myanmar, Thailand, and others.    
      
   The driver led to the discovery of ToneShell, a backdoor which grants   
   attackers unabated access to compromised devices, through which they can   
   upload and download files, create new documents, and more.   
      
   Mini-filters and kernel-mode drivers   
      
   The new variant came with improvements, Kaspersky added, including   
   establishing a remote shell via a pipe, terminating shell, cancelling    
   uploads, closing connections, creating temporary files for incoming data, and   
   more.    
      
   ToneShell is generally used for cyber-espionage campaigns. Victim computers   
   were apparently also infected with other malware , as well, including PlugX,   
   and the ToneDisk USB worm. The campaign likely started in February 2025,   
   researchers speculate.    
      
   But what makes this campaign really stand out is the use of a mini-filter   
   driver that was signed with either a stolen, or leaked certificate.    
      
   "This is the first time weve seen ToneShell delivered through a kernel-mode   
   loader, giving it protection from user-mode monitoring and benefiting from    
   the rootkit capabilities of the driver that hides its activity from security   
   tools," Kaspersky said.    
      
   Mini-filters are kernel-mode drivers that sit inside the Windows file system   
   stack and intercept file system operations in real time. They let software   
   see, block, modify, or log file activity before it reaches the disk, and are   
   part of Microsofts File System Filter Manager framework.    
      
   Among other things, they let the attackers tamper with Microsoft Defender,   
   making sure it doesnt get loaded into the I/O stack.    
      
   To defend against the new attacks, the researchers advise memory forensics as   
   the number one way of spotting ToneShell infections. They also shared a list   
   of indicators of compromise (IoC) which can be used to determine if a system   
   was attacked or not.    
      
    Via BleepingComputer    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/researchers-identify-new-toneshell-back   
   door-targeting-government-agencies   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426