Chinese state hackers use rootkit to hide ToneShell malware activity

A new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations.

HoneyMyte (aka Mustang Panda) Deploys ToneShell Backdoor in New Attacks

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor

Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor.

Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm

Hive0154 wreaks havoc on Singapore and Thailand using a new Toneshell backdoor and SnakeDisk USB worm.

New ToneShell Backdoor With New Features Leverage Task Scheduler COM Service for Persistence

Since its first appearance earlier this year, the ToneShell backdoor has demonstrated a remarkable capacity for adaptation, toyed with by the Mustang Panda group to maintain an enduring foothold in targeted environments. This latest variant, discovered in early September, arrives concealed within sideloaded DLLs alongside legitimate executables. Delivered via compressed archives purporting to contain innocuous […]

Bluesky

Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks

Mustang Panda exploits MAVInject.exe to evade ESET detection, using EA files to sideload TONESHELL backdoor for persistent cyber espionage.

Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities

A China-linked nation-state hacking group is using decoys related to the ongoing Russian-Ukrainian war to attack facilities in Europe and the Asia-Pac