Cloakware Convergence: From Kernel Rootkits to Heap Leaks

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Data-Layer Exposure: MongoDB Heap Peek (CVE-2025-14847)

A flaw in MongoDB’s Zlib compression handling lets unauthenticated attackers coerce the server into returning uninitialized heap memory. The risk is data exposure and exploit priming—even without code execution—so speed of patching matters.

• MongoDB CVE-2025-14847 (CVSS 8.7) — Pre-auth heap disclosure via Zlib length mismatch; fixes in 8.2.3 / 8.0.17 / 7.0.28 / 6.0.27 / 5.0.32 / 4.4.30. If you can’t patch immediately, disable Zlib and use Snappy/Zstd, tighten exposure, and watch for malformed protocol traffic.

2. Government-Lure Malware Ops: Silver Fox’s ValleyRAT in India

China-linked Silver Fox is pushing Income-Tax–themed lures to Indian orgs, pivoting from PDFs to a ZIP/NSIS chain that DLL-sideloads ValleyRAT through a legitimate Thunder binary, then injects into explorer.exe for quiet persistence and surveillance.

• Silver Fox → ValleyRAT — Tax-branded PDFs → typosquatted domain → Thunder libexpat.dll sideload → Donut loader → RAT in explorer.exe; plugins enable keylogging, credential theft, delayed beaconing, and Defender-exclusion abuse.

3. Nation-State Stealthware: Mustang Panda’s Kernel-Mode ToneShell

Mustang Panda has upleveled stealth with a signed mini-filter driver rootkit that loads a new ToneShell variant from kernel space, blocks Defender’s filter, and shields its user-mode payloads—raising the bar for detection and response across Asian gov targets.

• ToneShell with kernel loader — Stolen cert, high filter altitude, registry/file self-protection, memory-only user-mode injection, fake-TLS traffic, full remote ops (file ops, shell, staged transfers). Memory forensics and driver allow-listing are now table stakes.

Proactive Steps for the Week

• Patch priority: Upgrade all affected MongoDB fleets to patched releases; if delayed, disable Zlib and restrict exposure.

• Email & web hardening: Treat government/tax themes as high-risk; sandbox PDFs/NSIS, block Thunder DLL sideload paths, and alert on Donut/explorer.exe injection chains.

• Kernel visibility: Enforce driver allow-listing, monitor mini-filter altitudes, and alert on WdFilter tampering; add scheduled memory captures for high-value endpoints.

• Threat hunting:

  • Mongo: look for malformed compressed messages and unusual pre-auth responses.

  • ValleyRAT: hunts for NSIS → Thunder → libexpat.dll loads, new Defender exclusions, delayed beacons.

  • ToneShell: scan for unknown signed drivers, blocked file deletes on driver paths, and fake-TLS C2 patterns.

• Access control: Reduce public exposure of admin and database ports; enforce MFA and application allow-listing to blunt sideloading and post-exploitation.