Chinese state hackers plant malware inside Windows

Published: 31 December 2025
Last updated: 2 January 2026
chinese hacker group mustang panda
Image by Cybernews

Chinese state hackers are infiltrating operating systems to bypass antivirus detection.

The Chinese state-backed hacking group known as Mustang Panda has been actively targeting Southeast Asian governments, particularly in Myanmar and Thailand.

The group uses malware that exploits an undocumented kernel-mode rootkit driver to smuggle its TONESHELL backdoor straight into the core of the operating system. It is the first documented instance where the TONESHELL backdoor has been delivered via a kernel-level loader.

ADVERTISEMENT

According to researchers at Kaspersky, this evolution of malware poses an extremely dangerous threat, as security software cannot easily detect and identify these backdoors.

How does the malware work?

During the attack, a malicious driver, ProjectConfiguration.sys, registers itself as a Windows minifilter driver. While resting inside the operating system, malware can intercept file, process, and registry activity.

“The driver file is signed with an old, stolen, or leaked digital certificate,” Kaspersky said, noting that its primary goal is to inject a backdoor into system processes and actively protect malicious components from inspection or removal.

The conversation on this topic is live. Join in the discussion.

Researchers found that the driver is signed using an expired certificate issued to a Chinese ATM company, Guangzhou Kingteller Technology Co., Ltd.

The certificate expired in 2015, which likely indicates that it was leaked or stolen. According to the investigation, other unrelated malware samples have also been signed with the same certificate, supporting the theory of theft.

ADVERTISEMENT
toneshell
Source: Kaspersky

Once loaded, the rootkit deploys two embedded user-mode shellcodes that execute entirely in memory. These shellcodes perform the final stage of the infection, injecting the TONESHELL backdoor into a legitimate system process, svchost.exe.

As Kaspersky explained, the rootkit assigns itself a filter altitude higher than the range reserved for antivirus drivers, allowing it to inspect and block file operations before security software can intervene.

This effectively allows the malicious driver to sit above antivirus components in the I/O stack, thereby circumventing security checks altogether.

According to Kaspersky, the driver is capable of:

  • Dynamically resolving kernel APIs to avoid static detection
  • Blocking file deletion or renaming attempts targeting its components
  • Preventing access to protected registry keys
  • Intercepting process operations and denying access to security tools
  • Manipulating Microsoft Defender’s WdFilter.sys driver so it never loads

The final payload is TONESHELL, which once active, connects devices to command-and-control (C2) servers controlled by attackers.

According to Kaspersky, Mustang Panda has used this backdoor since at least late 2022. Researchers note that the current campaign's infrastructure was set up as early as September 2024, although the observed attacks appear to have begun in February 2025.

The initial infection vector remains unclear, but researchers suspect previously compromised machines were used to deploy the malicious driver.

What is Mustang Panda?

ADVERTISEMENT

Mustang Panda is a China-linked cyber espionage group that has been operating in the shadows since at least 2012.

The group is best known to be spreading malware via phishing emails and decoy documents designed to lure targets into executing malicious payloads.

Over the years, its campaigns have targeted multiple governmental and diplomatic institutions, think tanks, religious organizations, and research facilities across the United States, Europe, and Asia.

The gang has a particularly strong footprint in Russia, Mongolia, Myanmar, Pakistan, and Vietnam.

Chinese hackers are ramping up attacks

Chinese threat actors have been active in the cyber underground, targeting organizations worldwide.

A newly identified cloud-side vulnerability, dubbed React2Shell, was exploited within hours after its public disclosure. AWS security teams say that they have observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.

In mid-September 2025, Anthropic detected a highly sophisticated espionage campaign conducted by a Chinese state-sponsored group, which exploited AI tools to execute cyberattacks without human intervention.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

During the campaign, the attackers targeted roughly 30 critical infrastructure organizations, including large tech companies, financial institutions, chemical manufacturing companies, and government agencies.

ADVERTISEMENT

In September and October 2025, a Chinese-affiliated threat actor called UNC6384 targeted European diplomats in Belgium, Hungary, and other European Member States. They abused a zero-day vulnerability to execute arbitrary code remotely on targeted Windows systems.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked