Cybersecurity researchers have brought to light a new wave of cyberespionage activity in which government networks across parts of Asia were quietly compromised using an upgraded version of the ToneShell backdoor. What sets this campaign apart is the method used to hide the malware. Instead of relying solely on user-level tools, the attackers deployed a kernel-mode component that operates deep within the Windows operating system, allowing the intrusion to remain largely invisible.
The activity has been linked with high confidence to a China-aligned cyberespionage group that has a long history of targeting government agencies, policy institutions, non-governmental organizations, and research bodies. Investigators say the campaign reflects a continued focus on long-term intelligence collection rather than short-lived attacks.
The findings come from an investigation by Kaspersky, which identified malicious system drivers on compromised machines in countries including Myanmar and Thailand. Evidence suggests the campaign has been active since at least February 2025. In several cases, the affected systems had previously been infected with older espionage tools tied to the same threat ecosystem, indicating that access was maintained and expanded over time.
At the centre of the operation is a malicious kernel-mode driver disguised as a legitimate system component. The driver is digitally signed using an older certificate that appears to have been improperly reused, helping it avoid immediate suspicion during installation. Once active, it acts as a rootkit, injecting hidden code into normal processes and blocking attempts by security software to detect or remove it.
The driver protects itself aggressively. It prevents its files and registry entries from being altered, assigns itself a high execution priority, and interferes with Microsoft Defender by stopping key components from fully loading. While malicious code is running, it temporarily blocks access to infected processes, removing those restrictions afterwards to leave fewer traces behind.
The ToneShell backdoor delivered by this loader has also been updated. Earlier versions used a longer and more distinctive system identifier. The new variant switches to a shorter four-byte host marker, making individual infections harder to track. Its network traffic has been altered as well, with communications disguised to resemble legitimate encrypted web connections through the use of fake security headers.
Once installed, the backdoor gives attackers broad control over compromised systems. It can stage data in temporary files, upload and download information, cancel transfers when needed, open interactive remote command sessions, execute instructions in real time, and close connections cleanly to reduce forensic evidence. These features point to a tool designed for sustained, low-noise espionage rather than disruptive attacks.
Kaspersky warns that detecting this activity requires more than standard file scanning. Because much of the malicious behaviour occurs in memory and at the kernel level, advanced memory forensics are critical for uncovering infections. The researchers note that the campaign demonstrates a clear shift toward greater stealth and resilience, underscoring the growing sophistication of modern cyberespionage operations.
