S1239 TONESHELL
TONESHELL is a custom backdoor that has been used since at least Q1 2021.2 TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.13
| Item | Value |
|---|---|
| ID | S1239 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 15 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.002 | Create Process with Token | TONESHELL included functionality to create sub-processes with a specific user’s token.3 |
| enterprise | T1087 | Account Discovery | TONESHELL included functionality to retrieve a list of user accounts.3 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | TONESHELL has utilized HTTP for a C2 protocol through HTTP POST.76 TONESHELL has also utilized HTTPS for C2.4 |
| enterprise | T1010 | Application Window Discovery | TONESHELL has used GetForegroundWindow to detect virtualization or sandboxes by calling the API twice and comparing each window handle.6 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | TONESHELL used WinRAR rar.exe to archive files for exfiltration.29 TONESHELL has also utilized a unique 13-character password consisting of upper lower case and digits to protect RAR archives.9 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | TONESHELL has added Registry Run keys to achieve persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | TONESHELL has created a reverse shell using cmd.exe.43 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | TONESHELL has created a malicious service DISMsrv to maintain persistence.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | TONESHELL has encoded a payload with a random 32-byte key using XOR.6 TONESHELL has also encoded payloads with a 256-byte key using XOR.4 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol or Service Impersonation | TONESHELL used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.43 TONESHELL variants have utilized FakeTLS headers with the bytes 0x17 0x03 0x03 to represent TLSv1.2 and 0x17 0x03 0x04 for TLSv1.3.3 |
| enterprise | T1622 | Debugger Evasion | TONESHELL has leveraged custom exception handlers to hide code flow and stop execution of a debugger.6 |
| enterprise | T1678 | Delay Execution | TONESHELL has the ability to pause operations for a specified duration prior to follow-on execution of activities.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | TONESHELL has decoded its payload prior to execution.45639 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | TONESHELL has used RC4 encryption in C2 communications.6 TONESHELL variants used a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.3 |
| enterprise | T1480 | Execution Guardrails | TONESHELL has an exception handler that executes when ESET antivirus applications ekrn.exe and egui.exe are not found and directly injects its code into waitfor.exe using Native Windows API including WriteProcessMemory and CreateRemoteThreadEx.5 |
| enterprise | T1480.001 | Environmental Keying | TONESHELL has generated unique GUIDs to identify victim devices.563 TONESHELL has leveraged environmental keying in payload delivery using the victim computer name and other configuration values.4 TONESHELL has also tracked IDs associated with reverse shell subprocesses to manage interactions and terminations from C2.53 |
| enterprise | T1480.002 | Mutual Exclusion | TONESHELL has created a mutex to avoid duplicate execution.4 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | TONESHELL has abused legitimate executables to side-load malicious DLLs.712568 TONESHELL has also been loaded via DLL side-loading, using legitimate, signed executables to include: FastVD.exe, Bandizip.exe and gpgconf.exe.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | TONESHELL has deleted payload files received from the C2 server.3 |
| enterprise | T1105 | Ingress Tool Transfer | TONESHELL has the ability to download additional files to the victim device.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | TONESHELL has capabilities to conduct keylogging.2 |
| enterprise | T1559 | Inter-Process Communication | TONESHELL has facilitated inter-process communication between DLL components via the use of pipes.2 TONESHELL has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr.4 |
| enterprise | T1680 | Local Storage Discovery | TONESHELL has retrieved the disk serial number of the device using WMI query SELECT volumeserialnumber FROM win32_logicaldisk where Name =’C: to identify the victim machine.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | TONESHELL has masqueraded as the legitimate Windows utility service DISMsrv (Dism Images Servicing Utility Service).2 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | TONESHELL has renamed malicious files to mimic legitimate file names and file extensions.6 TONESHELL has also masqueraded as legitimate file names to include LogMeIn.dll.3 |
| enterprise | T1106 | Native API | TONESHELL has utilized Native Windows API functions such as WriteProcessMemory and CreateRemoteThreadEx.5 TONESHELL has also utilized Windows API functions for creating seed values including CoCreateGuid and GetTickCount.43 TONESHELL has leveraged the legitimate API function EnumSystemLocalesA to run its shellcode through the callback function.10 |
| enterprise | T1095 | Non-Application Layer Protocol | TONESHELL has utilized TCP-based reverse shells.6 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | TONESHELL has used randomized padding to obfuscate payloads.39 |
| enterprise | T1027.007 | Dynamic API Resolution | TONESHELL has utilized a modified DJB2 algorithm to resolve APIs.3 |
| enterprise | T1027.012 | LNK Icon Smuggling | TONESHELL has been initiated using LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.7 |
| enterprise | T1057 | Process Discovery | TONESHELL has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.6 TONESHELL has also searched for running antivirus processes to include ESET’s antivirus associated executables ekrn.exe and egui.exe.5 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | TONESHELL has used DLL injection to execute payloads received from the C2 server.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | TONESHELL has created scheduled tasks to maintain persistence.12 |
| enterprise | T1113 | Screen Capture | TONESHELL has conducted screen capturing.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | TONESHELL has checked for the presence of ESET antivirus applications ekrn.exe and egui.exe.5 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | TONESHELL has used valid legitimate digital signatures and certificates to evade detection.7 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | TONESHELL has used regsvr32.exe to execute the windows DLLRegisterServer function.5 |
| enterprise | T1218.013 | Mavinject | TONESHELL has injected its malicious payload into a running process through Windows utility Microsoft Application Virtualization Injector MAVInject.exe.5 |
| enterprise | T1082 | System Information Discovery | TONESHELL has the ability to retrieve the name of the infected machine.453 |
| enterprise | T1033 | System Owner/User Discovery | TONESHELL has obtained the username from an infected host.6 |
| enterprise | T1205 | Traffic Signaling | TONESHELL has utilized a “magic packet” value in C2 communications and only executes in memory when response packets match specific values.568 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.002 | User Activity Based Checks | TONESHELL has leveraged GetForegroundWindow to detect virtualization or sandboxes by calling the API twice and comparing each window handle.6 |
| enterprise | T1047 | Windows Management Instrumentation | TONESHELL has used WMI queries to gather information from the system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 741256839 |
References
-
Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025. ↩↩↩↩↩↩
-
Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩
-
Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025. ↩↩↩↩↩
-
Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025. ↩↩↩
-
Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. ↩↩↩↩↩
-
Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. ↩