TONESHELL
MITRE
Malware Type:
Other
Other
First seen:
Unknown
Unknown
Last seen:
Unknown
Unknown
Details:
[TONESHELL](https://attack.mitre.org/software/S1239) is a custom backdoor that has been used since at least Q1 2021.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) [TONESHELL](https://attack.mitre.org/software/S1239) malware has previously been leveraged by Chinese affiliated actors identified as [Mustang Panda](https://attack.mitre.org/groups/G0129).(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Zscaler)
Associated Techniques (43)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1001.003 | Protocol or Service Impersonation | - |
| T1010 | Application Window Discovery | - |
| T1027.001 | Binary Padding | - |
| T1027.007 | Dynamic API Resolution | - |
| T1027.012 | LNK Icon Smuggling | - |
| T1033 | System Owner/User Discovery | - |
| T1036.004 | Masquerade Task or Service | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1047 | Windows Management Instrumentation | - |
| T1053.005 | Scheduled Task | - |
| T1055.001 | Dynamic-link Library Injection | - |
| T1056.001 | Keylogging | - |
| T1057 | Process Discovery | - |
| T1059.003 | Windows Command Shell | - |
| T1070.004 | File Deletion | - |
Used by Actors (1)
Metadata
| ID: | 95 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 04:00 |