The China-linked Mustang Panda APT has been using a kernel-mode rootkit in attacks leading to ToneShell backdoor deployments.