Cybersecurity

Wolves Got A Hall Pass: Mustang Panda's Signed Rootkit Is Doing Laps Around Your Electric Fence

NeglectedSheep

2 min read
Wolves Got A Hall Pass: Mustang Panda's Signed Rootkit Is Doing Laps Around Your Electric Fence

Oh good. A signed kernel-mode rootkit. Signed. As in, someone handed the wolf a laminated badge that says "I belong here" and your entire Electric Fence just... waved it through. I've had three cups of cold coffee today and this is what I come back to.

Let me explain what happened, because apparently we're doing this now.

Mustang Panda, a threat group that absolutely does not care about your incident response SLA, deployed a backdoor called TONESHELL into Asian government networks. The delivery mechanism was a kernel-mode rootkit with a valid digital signature. Your security tooling saw the badge, nodded politely, and went back to sleep. Honestly, relatable.

The rootkit runs at the kernel level, which means it's not sneaking around in the house. It IS the house. It loads TONESHELL underneath your visibility layer, which means your endpoint detection is out there sniffing around the living room while the parasite has already eaten through the foundation.

The "signed" part is the part that should make you put down your coffee. Legitimate code-signing certificates are being abused to make malicious drivers look trustworthy. This isn't a hole in the fence so much as it's a wolf who filed the correct paperwork to become a sheep.

And who are these networks being targeted? Government. Asian government specifically. Which means the Shepherds in charge of those pastures are going to have a very fun Tuesday explaining this to other Shepherds.

I'm not even mad at the Lambs this time. You can't click your way past a kernel rootkit. This one's on the infrastructure. And the certificate authorities. And probably whoever approved "trust everything signed" as a policy.

Probably a Shepherd, honestly.

Remediation

Look, I need to go lie down, but before I do:

Enable Microsoft Vulnerable Driver Blocklist. Seriously. It exists. Use it.

Audit your allowed kernel drivers. If you don't recognize it, it doesn't graze here.

Implement strict driver signing policies via Windows Defender Application Control (WDAC). "Signed" is not the same as "safe." Tattoo that somewhere.

Monitor for anomalous kernel-level activity. EDR tools that only watch user-mode processes are basically just expensive screensavers at this point.

Threat hunt for TONESHELL indicators. The Hacker News article has the link, go find the IOCs, do the thing.

Revoke trust in compromised certificates the moment they're flagged. Don't wait for a memo from the Shepherds.

I'm going to go stare at the ceiling and think about a different career.

Original Report: https://thehackernews.com/2025/12/mustang-panda-uses-signed-kernel-driver.html