Chinese APT Mustang Panda Caught Using Kernel-Mode Rootkit
The threat actor uses a signed driver file containing two user-mode shellcodes to execute its ToneShell backdoor. The post Chinese APT Mustang Panda Caught Using Kernel-Mode Rootkit appeared first on SecurityWeek.
The Chinese espionage-focused APT Mustang Panda has been using a kernel-mode rootkit in recent attacks against Asian targets, Kaspersky reports.
Also known as Basin, Bronze President, Earth Preta, and Red Delta, and tracked by Kaspersky as HoneyMyte, Mustang Panda mainly targets government and military entities in East Asia and Europe.
In early 2025, US and French authorities attempted to clean thousands of computers that the APT had infected with the PlugX RAT.
Source: https://www.securityweek.com/chinese-apt-mustang-panda-caught-using-kernel-mode-rootkit/
Related breach coverage
- Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver2025-12-30
China-linked APT Mustang Panda used a signed kernel-mode rootkit driver to load shellcode and deploy its ToneShell backdoor. China-linked APT Mustang Panda (aka Hive0154, HoneyMyte, Camaro Dragon, RedDelta or Bronze President) was observed using a signed kernel-mode rootkit driver with embedded shellcode to deploy its ToneShell backdoor. Mustang Panda has been active since at least 2012, targeting American and European entities such as […]
- Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure2026-03-26
The state-sponsored threat actor deployed kernel implants and passive backdoors enabling long-term, high-level espionage. The post Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure appeared first on SecurityWeek.
- TrueConf Zero-Day Exploited in Asian Government Attacks2026-04-03
A Chinese threat actor exploited the video conferencing platform to perform reconnaissance, escalate privileges, and execute additional payloads. The post TrueConf Zero-Day Exploited in Asian Government Attacks appeared first on SecurityWeek.
- Anthropic Says Claude AI Powered 90% of Chinese Espionage Campaign2025-11-14
A state-sponsored threat actor manipulated Claude Code to execute cyberattacks on roughly 30 organizations worldwide. The post Anthropic Says Claude AI Powered 90% of Chinese Espionage Campaign appeared first on SecurityWeek.