Mustang Panda Uses Signed Kernel Driver to Evade Detection – Deep Dive into the Evasive New Threat

In a significant escalation in cyber espionage tactics, threat actors associated with the Mustang Panda group have been observed deploying a signed kernel-mode driver to evade detection and maintain persistence on targeted Windows systems. This development signals an important shift in malware sophistication, underscoring how advanced persistent threat (APT) actors are blending trusted mechanisms—like digitally signed drivers—with stealthy malware to bypass modern endpoint defenses and achieve long-term control over victim environments.

This comprehensive report examines what Mustang Panda’s new technique involves, how it works technically, which targets are most at risk, and what security teams should do to defend against this elevated threat. The analysis below is structured for clarity and depth, suitable for CISOs, security engineers, threat analysts, and IT leadership responsible for securing Windows-based networks.

Who Is Mustang Panda?

Mustang Panda—also tracked under names such as Bronze President and TA416—is a China-linked threat group that has been active since at least 2017. The group is best known for targeted cyber espionage campaigns against diplomatic, government, defense, and industrial sectors globally. Over the years, Mustang Panda has used a mix of custom tooling and publicly available malware, typically delivered via spear-phishing, malicious document exploits, or compromised infrastructure.

Historically, Mustang Panda has focused on intelligence gathering, long-term persistence, and lateral movement within compromised networks rather than disruptive attacks. The group’s evolution toward using signed kernel drivers represents a new level of sophistication and emphasis on stealth.

Overview of the New Kernel-Driver Technique

The recent campaign observed by cybersecurity researchers involves a multi-stage attack where Mustang Panda uses a legitimate digitally signed kernel-mode driver as part of its malware chain. The use of a signed driver is significant for several reasons:

• Trust and Evasion: Security software, especially Endpoint Detection and Response (EDR) agents and Windows Kernel Patch Protection, often trust kernel drivers signed by Microsoft or trusted third-parties. Attackers abuse this trust to run code at the kernel level with high privileges.
• Stealth: Kernel-mode components can hide the presence of user-mode malware, intercept OS calls, and subvert threat detection.
• Persistence: Once loaded into kernel space, malware components are more difficult to remove and can survive reboots unless specifically mitigated.

The driver in this case was found to be properly signed, making it appear legitimate to the operating system and defensive tools. The malicious payload executes in kernel context, providing Mustang Panda with advanced capabilities such as process hiding, keylogging, tampering with system telemetry streams, and subverting API calls that might otherwise expose its presence.

How the Attack Is Delivered

The infection chain typically begins with spear-phishing emails carrying malicious Microsoft Office documents or archive files. These attachments include either embedded exploits or calls to macros that, when enabled, download and execute a user-mode dropper. In some observed cases, the initial access was achieved through compromised web infrastructure hosting malicious documents.

Once executed in user context, the dropper performs the following actions:

1. Stage 1 — Initial Execution: The dropper executes a benign-looking application disguised as a document viewer or support tool. While the user sees expected behavior, the malware runs silently in the background.
2. Stage 2 — Kernel Driver Deployment: The dropper then retrieves the signed kernel driver and associated control binaries from a remote C2 (command-and-control) server.
3. Stage 3 — Kernel Loading: The malware uses legitimate Windows APIs to load the signed driver into kernel space. Because it is signed, many security controls do not prevent the driver from initializing.
4. Stage 4 — Persistence and Control: Once in kernel mode, the malicious component injects code into critical system processes, hooks system calls, and sets up communication channels to the C2 server for remote commands.

This layered delivery chain allows Mustang Panda to achieve both initial foothold and deep persistence while reducing the likelihood of detection by endpoint security tools.

Technical Analysis: Abusing Signed Drivers

Signed drivers are typically used by hardware vendors and system utilities to extend kernel functionality. Windows enforces signature validation for kernel-mode drivers, and legitimate signatures help defense tools trust the code.

However, attackers can abuse this trust in one of the following ways:

1. Using Legitimate Signed Code for Malicious Purposes

In some cases, attackers repurpose existing drivers with valid signatures by abusing their functionality or chaining them to malicious components. If the driver itself is vulnerable, attackers can use it to elevate privileges or perform arbitrary read/write operations in kernel space.

2. Illicitly Obtaining Signing Certificates

A more advanced technique involves attackers obtaining valid code-signing certificates through theft, social engineering, or fraudulent certification requests. This allows them to sign drivers that the OS will trust, even if the code was developed for malicious use.

3. DLL and Kernel Object Hijacking

Once a signed driver is loaded, the threat actor may use its trust to load additional unsigned or malicious modules through indirect mechanisms, effectively bypassing kernel signature checks for those modules.

In the Mustang Panda campaign, researchers observed that the kernel driver being used appears to be a known, signed component that has been repurposed in the malware chain. Whether the driver itself was maliciously edited or if it is being abused alongside other malicious code is still under investigation.

Capabilities Enabled by Kernel-Level Control

Once the malware achieves execution in kernel mode, it unlocks a wide range of advanced capabilities that would otherwise be difficult or impossible from user space:

Stealth and Anti-Detection

Kernel-mode rootkits can intercept and filter system calls related to process or file enumeration, hiding the presence of malicious processes, files, and network connections from security tools and administrators.

System Configuration Tampering

Because the kernel controls critical system functions, malware can alter configuration in ways that deny detection or disable updates, such as interacting directly with the Windows Filtering Platform, network stack, or security subsystems.

Persistence Beyond Reboots

Kernel drivers can register services or manipulate low-level boot configurations that ensure the malware component loads even after system restart.

Credential Access and Keylogging

Kernel access enables the malware to monitor user input (keyboard, mouse) and encrypt data streams at a level that evades user-mode monitoring.

Interception of Security Telemetry

By hooking into APIs that security solutions rely upon for telemetry, attackers can suppress, modify, or redirect visibility — effectively blinding defenders.

Targets and Tactics of Mustang Panda

While the ultimate objectives of this specific campaign are still being analyzed, historical and contextual evidence points toward:

• Government ministries and diplomatic institutions
• Defense and national policy research organizations
• Critical infrastructure operators
• Academic institutions with strategic research interests

Targeting aligns with longer-term intelligence gathering without overtly disruptive goals. Mustang Panda’s goal is often to blend into the environment, gather valuable data, and maintain access over months or years.

The use of signed kernel drivers is consistent with this approach: deep, stealthy access that’s hard for defenders to purge once established.

Evasion Techniques and Detection Challenges

Kernel-level threats pose unique detection challenges because they operate below normal user-mode defenses and often exploit trusted system mechanisms. Some of the evasion techniques observed include:

• Use of native Windows loader processes to execute malware (e.g., wmic, msiexec, or other signed system tools)
• Process hollowing and code injection into legitimate system processes
• Dynamic loading of malicious modules based on environment detection
• Encryption of C2 communications to prevent payload inspection

Traditional antimalware tools that rely on user-mode hooks or signature-based detection often cannot see or properly interpret kernel-mode modifications, making behavior-based and kernel-aware EDR solutions critical.

How Security Teams Can Detect and Respond

Given the sophistication of this approach, standard antivirus alone isn’t sufficient. Detection and response require a multi-layered strategy:

1. Kernel-Aware Endpoint Detection

Deploy advanced EDR solutions capable of monitoring kernel-level activity, including unauthorized driver loading, abnormal kernel object manipulation, and suspicious system hook installations.

2. Code Integrity Policies

Implement strict driver signing and code integrity policies through technologies such as Windows Defender Application Control (WDAC) or Microsoft BitLocker Drive Encryption (MBAM) to restrict unauthorized drivers.

3. Threat Hunting and Baseline Profiling

Security teams should build environment-specific baselines for system behavior and continuously hunt for anomalies such as unusual system calls, hidden process handles, or unsigned module loads.

4. Network Segmentation and Least Privilege

Limiting lateral movement and enforcing least-privilege principles reduces the blast radius of a kernel-level compromise.

5. Multi-Factor Authentication and Access Control

Since the initial infection vector is often phishing, strengthening authentication (e.g., MFA, conditional access) reduces the chance that user credentials are harvested and reused in further stages.

Implications for the Broader Threat Landscape

The use of signed drivers for stealth is a growing trend among sophisticated actors, and Mustang Panda’s adoption of the technique highlights a broader issue in cybersecurity:

• Threat actors are learning to exploit trust mechanisms built into operating systems and security controls.
• Signed code is no longer inherently safe — even trusted signatures can be commandeered or misused.
• Kernel-level attacks are becoming more common as attackers recognize the limitations of user-mode defenses.

For defenders, this means rethinking assumptions about what constitutes “trusted” code and investing in detection tools capable of observing activity below the user layer.

Why This Matters for Enterprises

Signed drivers are meant to protect users by ensuring kernel-mode code is authentic. However, this campaign demonstrates that:

• Signatures can provide attackers with cover, as legitimate signature checks inhibit defensive blocking.
• Kernel threats can evade traditional defenses, especially those that lack kernel visibility.
• Long-term persistence is achievable even in well-defended environments, increasing the urgency for proactive controls.

For security leaders, this incident emphasizes the need to invest in detection and response capabilities that go beyond signature matching and incorporate real-time behavior analysis, kernel telemetry, and continuous environment profiling.

Policy and Trust Considerations

The abuse of signed components calls into question the broader trust model used by operating systems and security controls:

• Should vendor signing alone be trusted as a guarantee of safety?
• How can certificate issuance processes be hardened to prevent misuse?
• What monitoring and revocation mechanisms should be in place for compromised signing assets?
• Can hardware-rooted trust (e.g., TPM and secure boot) help mitigate kernel abuse?

These policy questions are increasingly relevant as threats like Mustang Panda push attackers deeper into system internals.

Conclusion: The Need for Advanced Defense Posture

The discovery that Mustang Panda is using a signed kernel-mode driver as part of a sophisticated espionage campaign signals an important shift in attacker behavior. This technique, while not entirely new in concept, is now being operationalized by advanced threat actors targeting organizations where stealth and long-term access matter most.

Defenders must adapt by elevating their security stack to include:

• Kernel-aware detection capabilities
• Strict code integrity enforcement
• Advanced threat hunting practices
• Comprehensive identity and access management
• Proactive patch and update regimes

In an era where attackers leverage system trust mechanisms for malicious purposes, security programs must prioritize behavioral visibility, anomaly detection, and contextual risk analysis across both user and kernel layers.

Proactive defense will not only help detect Mustang Panda’s current campaign but also serve as a robust foundation against future threats that abuse trusted components for stealth and persistence.