1. Home
  2. Software
  3. TONESHELL

TONESHELL

TONESHELL is a custom backdoor that has been used since at least Q1 2021.[1] TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.[2][3]

ID: S1239
Type: MALWARE
Platforms: Windows
Contributors: YH Chang, ZScaler; ZScaler
Version: 1.0
Created: 15 September 2025
Last Modified: 21 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

TONESHELL included functionality to create sub-processes with a specific user’s token.[3]
Enterprise T1087 Account Discovery

TONESHELL included functionality to retrieve a list of user accounts.[3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TONESHELL has utilized HTTP for a C2 protocol through HTTP POST.[4][5] TONESHELL has also utilized HTTPS for C2.[6]
Enterprise T1010 Application Window Discovery

TONESHELL has used GetForegroundWindow to detect virtualization or sandboxes by calling the API twice and comparing each window handle.[5]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

TONESHELL used WinRAR rar.exe to archive files for exfiltration.[1][7] TONESHELL has also utilized a unique 13-character password consisting of upper lower case and digits to protect RAR archives.[7]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TONESHELL has added Registry Run keys to achieve persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TONESHELL has created a reverse shell using cmd.exe.[6][3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

TONESHELL has created a malicious service DISMsrv to maintain persistence.[1]
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

TONESHELL has encoded a payload with a random 32-byte key using XOR.[5] TONESHELL has also encoded payloads with a 256-byte key using XOR.[6]
Enterprise T1001 .003 Data Obfuscation: Protocol or Service Impersonation

TONESHELL used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.[6][3] TONESHELL variants have utilized FakeTLS headers with the bytes 0x17 0x03 0x03 to represent TLSv1.2 and 0x17 0x03 0x04 for TLSv1.3.[3]
Enterprise T1622 Debugger Evasion

TONESHELL has leveraged custom exception handlers to hide code flow and stop execution of a debugger.[5]
Enterprise T1678 Delay Execution

TONESHELL has the ability to pause operations for a specified duration prior to follow-on execution of activities.[3]
Enterprise T1140 Deobfuscate/Decode Files or Information

TONESHELL has decoded its payload prior to execution.[6][8][5][3][7]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

TONESHELL has used RC4 encryption in C2 communications.[5] TONESHELL variants used a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.[3]
Enterprise T1480 Execution Guardrails

TONESHELL has an exception handler that executes when ESET antivirus applications ekrn.exe and egui.exe are not found and directly injects its code into waitfor.exe using Native Windows API including WriteProcessMemory and CreateRemoteThreadEx.[8]
.001 Environmental Keying

TONESHELL has generated unique GUIDs to identify victim devices.[8][5][3] TONESHELL has leveraged environmental keying in payload delivery using the victim computer name and other configuration values.[6] TONESHELL has also tracked IDs associated with reverse shell subprocesses to manage interactions and terminations from C2.[8][3]
.002 Mutual Exclusion

TONESHELL has created a mutex to avoid duplicate execution.[6]
Enterprise T1574 .001 Hijack Execution Flow: DLL

TONESHELL has abused legitimate executables to side-load malicious DLLs.[4][2][1][8][5][9] TONESHELL has also been loaded via DLL side-loading, using legitimate, signed executables to include: FastVD.exe, Bandizip.exe and gpgconf.exe.[3]
Enterprise T1070 .004 Indicator Removal: File Deletion

TONESHELL has deleted payload files received from the C2 server.[3]
Enterprise T1105 Ingress Tool Transfer

TONESHELL has the ability to download additional files to the victim device.[1]
Enterprise T1056 .001 Input Capture: Keylogging

TONESHELL has capabilities to conduct keylogging.[1]
Enterprise T1559 Inter-Process Communication

TONESHELL has facilitated inter-process communication between DLL components via the use of pipes.[1] TONESHELL has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr.[6]
Enterprise T1680 Local Storage Discovery

TONESHELL has retrieved the disk serial number of the device using WMI query SELECT volumeserialnumber FROM win32_logicaldisk where Name =’C: to identify the victim machine.[2]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

TONESHELL has masqueraded as the legitimate Windows utility service DISMsrv (Dism Images Servicing Utility Service).[1]
.005 Masquerading: Match Legitimate Resource Name or Location

TONESHELL has renamed malicious files to mimic legitimate file names and file extensions.[5] TONESHELL has also masqueraded as legitimate file names to include LogMeIn.dll.[3]
Enterprise T1106 Native API

TONESHELL has utilized Native Windows API functions such as WriteProcessMemory and CreateRemoteThreadEx.[8] TONESHELL has also utilized Windows API functions for creating seed values including CoCreateGuid and GetTickCount.[6][3] TONESHELL has leveraged the legitimate API function EnumSystemLocalesA to run its shellcode through the callback function.[10]

Enterprise T1095 Non-Application Layer Protocol

TONESHELL has utilized TCP-based reverse shells.[5]
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

TONESHELL has used randomized padding to obfuscate payloads.[3][7]
.007 Obfuscated Files or Information: Dynamic API Resolution

TONESHELL has utilized a modified DJB2 algorithm to resolve APIs.[3]
.012 Obfuscated Files or Information: LNK Icon Smuggling

TONESHELL has been initiated using LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.[4]
Enterprise T1057 Process Discovery

TONESHELL has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.[5] TONESHELL has also searched for running antivirus processes to include ESET’s antivirus associated executables ekrn.exe and egui.exe.[8]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

TONESHELL has used DLL injection to execute payloads received from the C2 server.[3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TONESHELL has created scheduled tasks to maintain persistence.[2][1]
Enterprise T1113 Screen Capture

TONESHELL has conducted screen capturing.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

TONESHELL has checked for the presence of ESET antivirus applications ekrn.exe and egui.exe.[8]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TONESHELL has used valid legitimate digital signatures and certificates to evade detection.[4]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

TONESHELL has used regsvr32.exe to execute the windows DLLRegisterServer function.[8]
.013 System Binary Proxy Execution: Mavinject

TONESHELL has injected its malicious payload into a running process through Windows utility Microsoft Application Virtualization Injector MAVInject.exe.[8]
Enterprise T1082 System Information Discovery

TONESHELL has the ability to retrieve the name of the infected machine.[6][8][3]
Enterprise T1033 System Owner/User Discovery

TONESHELL has obtained the username from an infected host.[5]
Enterprise T1205 Traffic Signaling

TONESHELL has utilized a "magic packet" value in C2 communications and only executes in memory when response packets match specific values.[8][5][9]
Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

TONESHELL has leveraged GetForegroundWindow to detect virtualization or sandboxes by calling the API twice and comparing each window handle.[5]
Enterprise T1047 Windows Management Instrumentation

TONESHELL has used WMI queries to gather information from the system.[2]

Groups That Use This Software

ID Name References
G0129 Mustang Panda

[4][6][2][1][8][5][9][3][7]

References

  1. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
  2. Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.
  3. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.
  4. CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025.
  5. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
  1. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  2. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.
  3. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.
  4. Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025.
  5. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.