S1239: TONESHELL
Analyst context for executives and security teams
TONESHELL is a Windows backdoor documented in ATT&CK as used since at least Q1 2021 and previously leveraged by Mustang Panda. Its mapped behaviors span command-and-control, discovery, execution, persistence, stealth, credential collection, and screen capture, making it relevant to leadership as a post-compromise capability rather than a single alert signature. The business question is whether Windows endpoint, network, and identity telemetry can reconstruct what a backdoor did after access was gained.
Executive priority
Prioritize TONESHELL as a resilience and response-readiness issue: if a custom backdoor reaches Windows systems, defenders need evidence for C2 traffic, host discovery, persistence through scheduled tasks or services, command execution, credential exposure through keylogging, and possible collection such as screen capture. Security leaders should ask whether SOC and IR teams can prove coverage for these behaviors, not just whether a known malware hash is blocked. This is especially important for organizations where espionage, sensitive document access, government or NGO exposure, or audit evidence around endpoint monitoring and incident containment are material concerns.
Technical view
ATT&CK does not provide a dedicated detection section for TONESHELL, so validation should be behavior-led using the mapped relationships. On Windows, review coverage for WMI execution, Windows command shell use, scheduled task creation or modification, suspicious service/task masquerading, DLL injection, dynamic API resolution indicators, file deletion, LNK shortcut abuse, discovery commands or API activity for users/processes/windows/system information/accounts, keylogging and screen capture indicators, ingress tool transfer, and C2 over web protocols, non-application-layer protocols, protocol/service impersonation, and non-standard encoding. Treat the Mustang Panda relationship as threat-intelligence context for prioritization, not as standalone proof of attribution in a local incident.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows scheduled task and service creation/modification logs
- WMI activity and remote/local execution records
- Endpoint file creation, deletion, rename, and shortcut/LNK metadata observations
- EDR memory/process telemetry for DLL injection or suspicious native API use
Detection direction
- Because no official TONESHELL detection text is supplied, build detections around the related ATT&CK techniques rather than relying on static indicators alone.
- Tune for combinations: scheduled task or masqueraded service creation followed by command shell/WMI execution, discovery activity, file transfer, and unusual outbound communications is more meaningful than any one event by itself.
- Validate network visibility for web-protocol C2, protocol impersonation, non-application-layer communications, and non-standard encoding; encrypted or protocol-like traffic may reduce content inspection value, so metadata and endpoint correlation matter.
- Review false positives carefully for administration tools: WMI, scheduled tasks, cmd.exe, native APIs, and service changes are common in legitimate IT operations and need baselines, signer/path context, parent-child process context, and change-management correlation.
- Check blind spots around oversized or padded binaries, dynamically resolved APIs, LNK metadata abuse, and process injection, as these behaviors can weaken hash-based, static, or superficial file inspection.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoints, network egress points, and identity-relevant logs are collected, retained, and searchable for the mapped behaviors.
- Reduce execution and persistence opportunities by hardening scheduled task, service, WMI, command shell, and shortcut handling according to enterprise policy and least-privilege administration.
- Strengthen endpoint prevention and monitoring for process injection, suspicious native API use, file deletion after execution, and masqueraded binaries or services.
- Apply egress control and monitoring for unusual outbound web traffic, non-standard protocols, and protocol impersonation patterns; ensure exceptions are governed and reviewed.
- Prepare IR playbooks for suspected backdoor activity that include host isolation, persistence review, credential exposure assessment, account discovery follow-up, and collection impact scoping.
Analyst notes and limits
This take is based on ATT&CK S1239 TONESHELL, its official description, external references, and listed relationships. The object is a Windows malware entry with no ATT&CK tactics specified directly and no official detection guidance provided. The related techniques supply the practical defensive lens: C2, execution, persistence, stealth, discovery, credential collection, collection, and tool transfer behaviors.
Local exposure, active exploitation, specific indicators, affected business units, and detection coverage cannot be inferred from the supplied ATT&CK fields. Some related techniques list broader platforms, but the TONESHELL object itself is supplied as Windows. Any attribution to Mustang Panda in an investigation should be treated as contextual until supported by environment-specific evidence.
TONESHELL
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1480.001 | Environmental Keying Sub-technique | TONESHELL has generated unique GUIDs to identify victim devices.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationZscaler TONESHELL has leveraged environmental keying in payload delivery using the victim computer name and other configuration values.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA TONESHELL has also tracked IDs associated with reverse shell subprocesses to manage interactions and terminations from C2.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025CitationZscaler |
| Enterprise | T1480 | Execution Guardrails | TONESHELL has an exception handler that executes when ESET antivirus applications `ekrn.exe` and `egui.exe` are not found and directly injects its code into waitfor.exe using Native Windows API including `WriteProcessMemory` and `CreateRemoteThreadEx`.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | TONESHELL has checked for the presence of ESET antivirus applications `ekrn.exe` and `egui.exe`.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025 |
| Enterprise | T1678 | Delay Execution | TONESHELL has the ability to pause operations for a specified duration prior to follow-on execution of activities.CitationZscaler |
| Enterprise | T1113 | Screen Capture | TONESHELL has conducted screen capturing.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | TONESHELL has leveraged `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1057 | Process Discovery | TONESHELL has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload TONESHELL has also searched for running antivirus processes to include ESET’s antivirus associated executables ekrn.exe and egui.exe.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025 |
| Enterprise | T1082 | System Information Discovery | TONESHELL has the ability to retrieve the name of the infected machine.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025CitationZscaler |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | TONESHELL has utilized a modified DJB2 algorithm to resolve APIs.CitationZscaler |
| Enterprise | T1574.001 | DLL Sub-technique | TONESHELL has abused legitimate executables to side-load malicious DLLs.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationATTACKIQ MUSTANG PANDA TONESHELL March 2023CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationTrend Micro Mustang Panda Earth Preta TONESHELL June 2023 TONESHELL has also been loaded via DLL side-loading, using legitimate, signed executables to include: FastVD.exe, Bandizip.exe and gpgconf.exe.CitationZscaler |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | TONESHELL has created scheduled tasks to maintain persistence.CitationATTACKIQ MUSTANG PANDA TONESHELL March 2023CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1047 | Windows Management Instrumentation | TONESHELL has used WMI queries to gather information from the system.CitationATTACKIQ MUSTANG PANDA TONESHELL March 2023 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | |
| Enterprise | T1680 | Local Storage Discovery | TONESHELL has retrieved the disk serial number of the device using WMI query `SELECT volumeserialnumber FROM win32_logicaldisk where Name =’C:` to identify the victim machine.CitationATTACKIQ MUSTANG PANDA TONESHELL March 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | TONESHELL has deleted payload files received from the C2 server.CitationZscaler |
| Enterprise | T1056.001 | Keylogging Sub-technique | TONESHELL has capabilities to conduct keylogging.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | TONESHELL has added Registry Run keys to achieve persistence.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | TONESHELL has the ability to download additional files to the victim device.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1010 | Application Window Discovery | TONESHELL has used `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | TONESHELL has used regsvr32.exe to execute the windows `DLLRegisterServer` function.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | TONESHELL has used valid legitimate digital signatures and certificates to evade detection.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | TONESHELL has used DLL injection to execute payloads received from the C2 server.CitationZscaler |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | TONESHELL has decoded its payload prior to execution.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationZscalerCitationUnit42 Chinese VSCode 06 September 2024 |
| Enterprise | T1543.003 | Windows Service Sub-technique | TONESHELL has created a malicious service DISMsrv to maintain persistence.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1095 | Non-Application Layer Protocol | TONESHELL has utilized TCP-based reverse shells.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1027.001 | Binary Padding Sub-technique | TONESHELL has used randomized padding to obfuscate payloads.CitationZscalerCitationUnit42 Chinese VSCode 06 September 2024 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | TONESHELL has masqueraded as the legitimate Windows utility service DISMsrv (Dism Images Servicing Utility Service).CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 |
| Enterprise | T1622 | Debugger Evasion | TONESHELL has leveraged custom exception handlers to hide code flow and stop execution of a debugger.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1218.013 | Mavinject Sub-technique | TONESHELL has injected its malicious payload into a running process through Windows utility Microsoft Application Virtualization Injector `MAVInject.exe`.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | TONESHELL included functionality to create sub-processes with a specific user’s token.CitationZscaler |
| Enterprise | T1087 | Account Discovery | TONESHELL included functionality to retrieve a list of user accounts.CitationZscaler |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | TONESHELL has created a mutex to avoid duplicate execution.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1033 | System Owner/User Discovery | TONESHELL has obtained the username from an infected host.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1106 | Native API | TONESHELL has utilized Native Windows API functions such as `WriteProcessMemory` and `CreateRemoteThreadEx`.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025 TONESHELL has also utilized Windows API functions for creating seed values including `CoCreateGuid` and `GetTickCount`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationZscaler TONESHELL has leveraged the legitimate API function `EnumSystemLocalesA` to run its shellcode through the callback function.CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1205 | Traffic Signaling | TONESHELL has utilized a magic value in C2 communications and only executes in memory when response packets match specific values.CitationTrend Micro Mustang Panda Earth Preta Toneshell February 2025Citation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationTrend Micro Mustang Panda Earth Preta TONESHELL June 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TONESHELL has created a reverse shell using `cmd.exe`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationZscaler |
| Enterprise | T1027.012 | LNK Icon Smuggling Sub-technique | TONESHELL has been initiated using LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024 |
| Enterprise | T1559 | Inter-Process Communication | TONESHELL has facilitated inter-process communication between DLL components via the use of pipes.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023 TONESHELL has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | TONESHELL used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationZscaler TONESHELL variants have utilized FakeTLS headers with the bytes `0x17 0x03 0x03` to represent TLSv1.2 and `0x17 0x03 0x04` for TLSv1.3.CitationZscaler |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | TONESHELL used WinRAR rar.exe to archive files for exfiltration.CitationPalo Alto Unit42 STATELY TAURUS TONESHELL September 2023CitationUnit42 Chinese VSCode 06 September 2024 TONESHELL has also utilized a unique 13-character password consisting of upper lower case and digits to protect RAR archives.CitationUnit42 Chinese VSCode 06 September 2024 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6dac529afe0f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023
Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
Open source URL -
[2]
ATTACKIQ MUSTANG PANDA TONESHELL March 2023
Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.
Open source URL -
[3]
Zscaler
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.
Open source URL -
[4]
mitre-attack S1239Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.