Tag: toneshell

7 Attack Reports | 0 Vulnerabilities

Attack reports

The HoneyMyte APT now protects malware with a kernel-mode rootkit

In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated wi…
apt
rootkit
plugx
toneshell
evasion techniques
2025-12-29
tonedisk
Published: December 29, 2025
Downloadable IOCs: 0

Bookworm to Stately Taurus Using the Attribution Framework

This analysis examines the Bookworm malware family and its connection to the Chinese APT group Stately Taurus. Using a structured attribution framework, the study evaluates tactics, tooling, operational security, infrastructure, victimology and timelines to establish a high-confidence link between …
malware
apt
china
infrastructure
toneshell
pubload
southeast asia
bookworm
2025-09-25
victimology
attribution
Published: September 25, 2025
Downloadable IOCs: 0

Updated Toneshell backdoor and novel SnakeDisk USB worm dropped

In mid-2025, China-aligned threat actor Hive0154 deployed new malware variants, including an updated Toneshell backdoor and a novel USB worm called SnakeDisk. Toneshell9 evades detection and supports C2 communication through local proxies. SnakeDisk only executes on devices in Thailand, propagating…
backdoor
espionage
china
toneshell
pubload
thailand
yokai
2025-09-11
usb worm
snakedisk
Published: September 11, 2025
Downloadable IOCs: 7

Latest Mustang Panda Arsenal: Toneshell, StarProxy, PAKLOG, CorKLOG, and SplatCloak

Mustang Panda, a threat actor group, has developed new tools including two keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak). PAKLOG monitors keystrokes and clipboard data, using a custom encoding scheme. CorKLOG captures keystrokes, encrypts data with RC4, and establishes pers…
windows
toneshell
2025-04-16
splatcloak
corklog
starproxy
paklog
Published: April 16, 2025
Downloadable IOCs: 23

Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

Unit 42 researchers have discovered connections between Stately Taurus, a threat actor targeting ASEAN countries, and the Bookworm malware family. Analysis of infrastructure and code overlaps revealed links between recent Stately Taurus attacks and Bookworm samples dating back to 2015. The group ha…
dll sideloading
toneshell
pubload
modular malware
southeast asia
2025-02-20
asean
infrastructure overlap
bookworm
Published: February 20, 2025
Downloadable IOCs: 0

Chinese APT Abuses VSCode to Target Government in Asia

The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain …
apt
exfiltration
cyberespionage
shadowpad
poisonplug.shadow
toneshell
2024-09-09
credentialtheft
reverseshell
visualstudiocode
Published: September 9, 2024
Downloadable IOCs: 17

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…
phishing
dll sideloading
gh0st rat
2024-09-05
toneshell
pif file
Published: September 5, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports