Top Tweets for #ToneShell
APT Analysis: Mustang Panda & ToneShell
#MustangPanda #ToneShell #APT #CyberSecurity #ThreatIntel #MalwareAnalysis #Rootkit #امنیت_سایبری #تهدیدات_سایبری #تحلیل_بدافزار
1/6
ToneShellは中国系APTが使う長期潜伏型バックドア。低ノイズC2と高い隠蔽性で諜報活動を継続。最近はrootkit併用で不可視化も強化。検知=既に深部侵害の可能性。#APT #ToneShell #CyberEspionage https://t.co/fsv4GkgTIW
HoneyMyte aka Mustang Panda is using a signed rootkit to drop the #ToneShell backdoor in ongoing attacks, hiding its activity from security tools and giving attackers remote access to system.
Read: https://t.co/31dsia9x3r
#CyberSecurity #HoneyMyte #MustangPanda #Malware
Mustang Panda 最新攻撃:タイ限定の USB ワーム SnakeDisk による拡散+隠蔽 Yokai バックドア ドロップ。ToneShell8/9 バージョンは FakeTLS/TLS 1.3 頭出し/PRNG 隠蔽などで検出回避。#MustangPanda #USBWorm #ToneShell
https://t.co/l5sz3Nx1OR
Cyber_Safety_Checklist_2025.rar
#ToneShell uploaded from SG in 2025-07-30..
Is HoneyMyte (Mustang Panda) currently targeting Singapore? I'm not sure...
https://t.co/grZBhqKPD0
CC: @douglasmun
Hotel Booking Request.7z
#ToneShell's HoneyMyte, uploaded from Singapore last month
https://t.co/LRn8C3YVrk
Hotel Booking Request.7z
#ToneShell's HoneyMyte, uploaded from Singapore last month
https://t.co/LRn8C3YVrk
💡 A deep look into attacker behavior through open data.
https://t.co/eFAOiVVMi1
Our research led us to a cyber espionage campaign using the #ToneShell backdoor, targeted attendees of the 2024 #IISS #DefenceSummit in Prague.
The attack employed a malicious PIF file disguised as the summit agenda, which upon execution, deployed SFFWallpaperCore.exe and libemb.dll.
See what we found ⬇️
#CyberSecurity #ThreatHunting #MalwareAnalysis
Identified that the RC4 key used in #MustangPanda's new #keylogger #CorKLOG is identical to RC4 key found in 2023 #ToneShell variant deployed in a campaign attributed to Chinese TA #CeranaKeeper (@ESETresearch)
#cyber #dfir #infosec #cybersecurity #malware #threatintel #cti #apt
Mustang Panda is using MAVInject.exe to inject malware into waitfor.exe, bypassing ESET with a TONESHELL backdoor.
Memorizing policies and chasing non-technical certs won’t stop real attackers.
#CyberSecurity #ThreatHunting #APT #MAVInject #TONESHELL
https://t.co/ojw7ejVvuo
Potential Mustang Panda's #ToneShell with low detection, uploaded from Turkey.
https://t.co/1gHktnhAFx
@ESETresearch Sigma and YARA rules to detect #PoohLoader and #Toneshell are now available on my GitHub. Check them out!
https://t.co/HS7wEHOf9p
(malicious) EACore.dll https://t.co/Okyzt05v46
C2 - www.militarytc[.]com:443
#malware #mustangpanda #toneshell
A new Mustang Panda loader? It checks for @ESET AV and, if detected, uses LOLBins (Mavinject) to inject #Toneshell into waitfor.exe.
Setup Factory → DLL Side-loading (EACore.dll) → regsvr32 → Mavinject → Waitfor → Toneshell.
I’m calling it #PoohLoader🤣
FYI: @salmanvsf
#ToneShell uploaded VT from TH
Notice of Final Meeting - bcbea3850e69e2884d7cd4d03c5ac851
Attendee list template (24-6-2024) - e21ed2212f38d8db35507f793c5b5f2a
Invitation letter - 0873d4d8db314710c63448be9b9e5a45
C2
47.89.131.190
45.144.165.66
185.62.57.118
#MustangPanda
https://t.co/G4Kg5cGigj
This sounds like #TOneShell than a new variant - even down to the YK prefix. This is not a new malware. @netskop
New C2 servers related to Chinese #APT group #MustangPanda (AKA #EarthPreta) communicating from #Toneshell malwares:
srv1[.]blackberrygame[.]com
146[.]70.149.186
@TrendMicroRSRCH
#ToneShell #MustangPanda
Uploaded from India on 2024-11-14 06:13:40 UTC
https://t.co/McwKU8mU0v
opera_elf.dll
PDB: E:\\https://t.co/eC6yjaOZ0v\\Release\\https://t.co/eC6yjaOZ0v.pdb
C2:
formainservercheap[.]com
65.20.73[.]88
🎯 #CTI Spotted : a new malicious exe "Myanmar Ethnic Army Report.exe" (c27a33fda1f7edfe5c7b6d9b4589e2fce68f79a4f7d208ab58f154aee74ca122) dropping #ToneShell "libglib-2.0-0.dll" (909364fec2a37e2b9ba92aafcec51849710f8a54b3431ff9f043bc410c929e74) & communicating w/ 146.19.254[.]124
#APT #MustangPanda #StatelyTaurus #HoneyMyte #PUBLOAD #Toneshell #PlugX #Malware #Threat
📍🇨🇳
💥🇲🇲🌏
⛓️ #Phishing > ISO > #Lnk > Side-Load legitimate exe > Persistence > legitimate Exe (SideLoad) > #C2
🔗CSIRT-CTI report: https://t.co/lkCUgdheiW
#APT #MustangPanda activity in New 2024 Year 🚨
We’ve noticed online activity by the operator affiliated with [#MustangPanda / #EarthPreta], employing the Backdoor [#ToneShell / #Pubload]
We’re sure there was a real person on the other end of the line because he made a typo 🤨
Сheck the sample - PCAP with the operator's traffic↘️
https://t.co/pirKE46AeN
This type of #backdoor fakes TLS connection (Fake-TLS).
An earlier version of the #Backdoor was overviewed ↘️
https://t.co/kuLjB29AtA
From the beginning of 2024, MustangPanda used a lure ASEAN2024.lnk ↘️
https://t.co/0FeZ8U0FrI
Weaponized New Year’s greeting file ‘happy new http://year. zip’ came across on 3 January 2024 ↘️
https://t.co/YjlWcwXFdE
Let's highlight some protocol details that we found out:
🔻The main difference from a legit one is that the malware's TLS connection skips the Handshake part.
🔻The encryption key for messages is contained in the first packet
The first packet has the following structure:
17 0303 [Payload Len] [128 XOR Key] [Encrypted Check-In Data]
📌 List of commands identified in the traffic
System opcodes:
0x03 FF - KeepAlive C2 Request
0x03 00 - KeepAlive Client Response
0x04 FF - KeepAlive C2 Request
Opcodes for the remote console:
0x11 0F - Shell Open
0x12 0F - C2 Command
0x15 00 - Client Response
0x14 00 - Client Response
File manager opcodes:
0x09 0F - Directory Change
0x04 00 - Directory Data Send
0x05 00 - Directory Data End
0x06 00 – File Manager Error
🔐 Decrypt any message in the stream by getting the key from the first message using our developed #CyberChef recipe
Note: key length may vary due to tool customization ↘️
https://t.co/vUxaCorAeY
A brief guide for the recipe:
1️⃣ Download the first packet from the backdoor stream placed at ANYRUN sandbox
2️⃣ Open the downloaded file in the input section of the CyberChef
3️⃣ Since the recipe operates with hex key values, you can extract the key ($R0 variable)
4️⃣ Use the extracted key to decrypt the rest of the messages in the stream
Track the activity of the group using the tag MustangPanda ↘️
https://t.co/e7Uxl6K2M6
![anyrun_app's tweet photo. #APT #MustangPanda activity in New 2024 Year 🚨
We’ve noticed online activity by the operator affiliated with [#MustangPanda / #EarthPreta], employing the Backdoor [#ToneShell / #Pubload]
We’re sure there was a real person on the other end of the line because he made a typo 🤨
Сheck the sample - PCAP with the operator's traffic↘️
https://t.co/pirKE46AeN
This type of #backdoor fakes TLS connection (Fake-TLS).
An earlier version of the #Backdoor was overviewed ↘️
https://t.co/kuLjB29AtA
From the beginning of 2024, MustangPanda used a lure ASEAN2024.lnk ↘️
https://t.co/0FeZ8U0FrI
Weaponized New Year’s greeting file ‘happy new http://year. zip’ came across on 3 January 2024 ↘️
https://t.co/YjlWcwXFdE
Let's highlight some protocol details that we found out:
🔻The main difference from a legit one is that the malware's TLS connection skips the Handshake part.
🔻The encryption key for messages is contained in the first packet
The first packet has the following structure:
17 0303 [Payload Len] [128 XOR Key] [Encrypted Check-In Data]
📌 List of commands identified in the traffic
System opcodes:
0x03 FF - KeepAlive C2 Request
0x03 00 - KeepAlive Client Response
0x04 FF - KeepAlive C2 Request
Opcodes for the remote console:
0x11 0F - Shell Open
0x12 0F - C2 Command
0x15 00 - Client Response
0x14 00 - Client Response
File manager opcodes:
0x09 0F - Directory Change
0x04 00 - Directory Data Send
0x05 00 - Directory Data End
0x06 00 – File Manager Error
🔐 Decrypt any message in the stream by getting the key from the first message using our developed #CyberChef recipe
Note: key length may vary due to tool customization ↘️
https://t.co/vUxaCorAeY
A brief guide for the recipe:
1️⃣ Download the first packet from the backdoor stream placed at ANYRUN sandbox
2️⃣ Open the downloaded file in the input section of the CyberChef
3️⃣ Since the recipe operates with hex key values, you can extract the key ($R0 variable)
4️⃣ Use the extracted key to decrypt the rest of the messages in the stream
Track the activity of the group using the tag MustangPanda ↘️
https://t.co/e7Uxl6K2M6](https://pbs.twimg.com/media/GEsYQlsXcAAyFKm.jpg)
Last Seen Hashtags on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers