Mustang Panda is targeting Windows users with malware known as ToneShell, which disguises itself as Google Chrome.

A sophisticated new cyber campaign has emerged, targeting Windows users through a deceptive malware variant known as ToneShell, which masquerades as the legitimate Google Chrome browser. The advanced persistent threat (APT) group Mustang Panda, recognised for its strategic targeting of government and technology sectors, has deployed this latest tool as part of an ongoing espionage operation aimed at infiltrating corporate networks and stealing sensitive information. The malware campaign utilises social engineering techniques to distribute ToneShell via compromised websites and phishing emails, often presenting itself as a Chrome browser update or installation package. Initial infection vectors include malicious email attachments disguised as legitimate software installers and drive-by downloads from compromised websites that redirect users to fake Chrome download pages. ToneShell exhibits sophisticated evasion capabilities, employing process hollowing techniques to inject malicious code into legitimate system processes while maintaining the appearance of normal Chrome browser activity.

The impact of this campaign extends beyond individual users, as ToneShell functions as a backdoor enabling remote access, data exfiltration, and lateral movement within compromised networks. Organisations across multiple sectors have reported suspicious network activity consistent with Mustang Panda’s operational patterns, including unauthorised data transfers and reconnaissance activities targeting intellectual property and government communications. ToneShell employs a multi-stage deployment process that begins with a dropper component designed to evade endpoint detection systems. Upon execution, the malware creates a hollowed Chrome process and injects its payload, establishing communication with command and control servers through encrypted channels that mimic legitimate Chrome network traffic patterns. This sophisticated approach allows ToneShell to remain undetected while maintaining persistent access to compromised systems, highlighting the evolving threat landscape facing Windows users and organisations worldwide. To enhance incident response, Security Operations Centres (SOCs) should equip themselves with full access to the latest threat data from ANY.RUN TI Lookup.