Malware News Chinese state hackers use rootkit to hide ToneShell malware activity

[Parkinsond]

Content source

https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/

A new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations.

Security researchers at Kaspersky analyzed a malicious file driver found on computer systems in Asia and discovered that it has been used in campaigns since at least February 2025 against government organizations in Myanmar, Thailand, and other Asian countries.

According to Kaspersky, the new ToneShell backdoor was deployed by a mini-filter driver named ProjectConfiguration.sys and signed with a stolen or leaked certificate valid between 2012 and 2015 and issued to Guangzhou Kingteller Technology Co., Ltd.

To evade static analysis, the driver resolves required kernel APIs at runtime by enumerating loaded kernel modules and matching function hashes, rather than importing functions directly.

Chinese state hackers use rootkit to hide ToneShell malware activity

A new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations.

www.bleepingcomputer.com

 

[Khushal]

quite similar to rootkit sample i shared yesterday.
Samples shared by Kaspersky not on VT or any other malware site so probably recovered from an infected computer.
As expected K providing industry leading protection against rootkits.

 

[bazang]

"According to Kaspersky, the new ToneShell backdoor was deployed by a mini-filter driver named ProjectConfiguration.sys and signed with a stolen or leaked certificate valid between 2012 and 2015 and issued to Guangzhou Kingteller Technology Co., Ltd."

It is easy to obtain a legitimate certificate for a kernel driver and use it maliciously. By the time the certificate is blocked, the mission or campaign has long since been completed and the attackers have moved-on.

LOL

 

[Khushal]

"According to Kaspersky, the new ToneShell backdoor was deployed by a mini-filter driver named ProjectConfiguration.sys and signed with a stolen or leaked certificate valid between 2012 and 2015 and issued to Guangzhou Kingteller Technology Co., Ltd."

It is easy to obtain a legitimate certificate for a kernel driver and use it maliciously. By the time the certificate is blocked, the mission or campaign has long since been completed and the attackers have moved-on.

LOL

yeah exactly the rootkit i discussed earlier also is signed and the certificate is yet to be revoked albeit i have sent to cert central but no response yet. THis delay in cert revoke is also equally responsible.

 

[cartaphilus]

I hate the "state hackers" or "state actors" Intel speak. Just call it what it freaking is". CHINA CYBER ATTACKS TAIWAN

 

[Divergent]

Technical Analysis

Analysis of the malicious driver and associated campaign indicates a sophisticated attempt to gain operational stealth against government targets in Asia.

Deployment Vector: The backdoor is deployed by a mini-filter driver named ProjectConfiguration.sys. This driver is signed with a stolen or leaked certificate issued to Guangzhou Kingteller Technology Co., Ltd., which was originally valid between 2012 and 2015.

Rootkit Capabilities:

Self-Protection: The driver intercepts file-system operations (deletion/renaming) targeting itself and forces them to fail.

Registry Stealth: It registers a registry callback to deny unauthorized creation or opening of its service-related registry keys.

Defender Interference: The rootkit modifies the configuration of the Microsoft Defender driver (WdFilter) to prevent it from loading into the I/O stack.

Security Tool Evasion: By selecting a mini-filter altitude above the standard antivirus range, the driver ensures its operations take priority over security products.

Backdoor Evolution: The new ToneShell variant includes a revised host identification scheme (4-byte ID market) and utilizes network traffic obfuscation with fake TLS headers to blend into legitimate traffic.

Command Set: The backdoor supports diverse remote operations, including:

0x1: Create temporary files for incoming data.

0x7: Establish remote shell via a pipe.

0xA / 0xB: Uploading files.

Recommendation / Remediation

Based on the advanced nature of this kernel-mode threat, standard user-mode scanning is insufficient.

Memory Forensics: Memory analysis is essential to uncover the presence of the kernel-mode injector, as the rootkit actively hides its file and registry presence from the OS.

Certificate Revocation: Security teams should proactively block or flag drivers signed by the Guangzhou Kingteller Technology Co., Ltd. certificate (Thumbprint verification required from raw IOC list).

Driver Signature Enforcement: Ensure Windows Driver Signature Enforcement (DSE) is active and monitor for any attempts to bypass it or load unsigned/expired drivers.

Endpoint Configuration: Audit for modifications to the WdFilter service configuration, which is a key indicator of rootkit-level interference with Microsoft Defender.

Reference

MITRE ATT&CK: T1014 (Rootkit), T1068 (Exploitation for Privilege Escalation)

 

[Parkinsond]

I hate the "state hackers" or "state actors" Intel speak. Just call it what it freaking is". CHINA CYBER ATTACKS TAIWAN

There is a division in every modern armed forces called "Cyberwarfare".

 

[cartaphilus]

There is a division in every modern armed forces called "Cyberwarfare".

Yeap

 

[Parkinsond]

Yeap

IDF excels regarding such a division.

 

[cartaphilus]

IDF excels regarding such a division.

You mean Aman and yes they do.