- IBM X-Force identified Mustang Panda deploying SnakeDisk, a USB worm geofenced to Thailand IPs, to spread the Yokai backdoor.
- The group employs updated TONESHELL variants with proxy-based C2 communication to evade detection.
The China-aligned cyberespionage group Mustang Panda, also tracked as Hive0154, has launched a targeted campaign against Thailand, leveraging a new USB-based worm called SnakeDisk to deliver the Yokai backdoor. According to an IBM X-Force report released in September 2025, the malware only activates on devices with Thailand-based IP addresses, highlighting a precise focus on the region amid ongoing geopolitical tensions, including Thailand’s border disputes with Cambodia.
SnakeDisk Facilitates USB-Based Propagation in Thailand
SnakeDisk, identified in mid-August 2025, marks a new addition to Mustang Panda’s arsenal. The worm monitors USB device connections and moves legitimate files on the device to a hidden subdirectory. It then renames its malicious executable to match the USB’s volume name, such as “USB.exe,” tricking users into launching it on new systems. Once executed, the worm restores the original files while infecting the host. Crucially, SnakeDisk is geofenced to operate solely on public IP addresses located in Thailand, ensuring targeted deployment. The worm serves as a delivery mechanism for Yokai, a backdoor that establishes a reverse shell to execute commands from a command-and-control (C2) server. Yokai, previously observed in December 2024 attacks on Thai officials, achieves persistence through scheduled tasks and communicates the victim’s hostname to the C2 server for validation.
TONESHELL Variants Enhance Evasion Tactics
Mustang Panda has also upgraded its TONESHELL backdoor, with new variants dubbed TONESHELL8 and TONESHELL9. These variants, delivered via DLL side-loading, support C2 communication through locally configured proxy servers, blending malicious traffic with legitimate enterprise activity. The malware incorporates two parallel reverse shells for robust control and embeds junk code sourced from OpenAI’s ChatGPT website to complicate static analysis. These enhancements reflect Mustang Panda’s ongoing efforts to refine its tools, building on tactics seen in earlier campaigns targeting Myanmar, Australia, the Philippines, Japan, and Taiwan since 2022. The group’s broader ecosystem includes related malware like PUBLOAD and WispRider, with code overlaps indicating a shared development framework.
Disclaimer
The information on this website is for educational purposes only, and investing carries risks. Always do your research before investing, and be prepared for potential losses.
18+ and Gambling: Online gambling rules vary by country; please follow them. This website provides entertainment content, and using it means you accept out terms. We may include partnership links, but they don't affect our ratings or recommendations.
Crypto promotions on this site do not comply with the UK Financial Promotions Regime and are not intended for UK consumers.
