Kernel Security | Breaking Cybersecurity News | The Hacker News

The Chinese hacking group known as Mustang Panda (aka HoneyMyte) has leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The findings come from Kaspersky, which observed the new backdoor variant in cyber espionage campaigns mounted by the hacking group targeting government organizations in Southeast and East Asia, primarily Myanmar and Thailand. "The driver file is signed with an old, stolen, or leaked digital certificate and registers as a minifilter driver on infected machines," the Russian cybersecurity company said . "Its end-goal is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys." The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malwa...

Threat actors have been exploiting a security vulnerability in Paragon Partition Manager's BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code. The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC). "These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability," CERT/CC said . In a hypothetical attack scenario, an adversary with local access to a Windows machine can exploit these shortcomings to escalate privileges or cause a denial-of-service (DoS) condition by taking advantage of the fact that "BioNTdrv.sys" is signed by Microsoft. This could also pave the way for what's called a Bring Your Own Vulnerable Driver ( BYOVD ) attack on systems where the driver is not installed, thereby allowing t...