The cybersecurity landscape witnessed a significant escalation in July 2025 when the China-aligned threat actor Hive0154, commonly known as Mustang Panda, deployed sophisticated new malware variants designed to breach air-gapped systems.
This advanced persistent threat group introduced SnakeDisk, a novel USB worm, alongside an updated Toneshell9 backdoor, representing a calculated evolution in their cyber espionage capabilities targeting East Asian networks.
The campaign demonstrates Mustang Panda’s strategic focus on circumventing traditional network security measures through physical propagation methods.
SnakeDisk operates with geographical precision, executing only on systems with Thailand-based IP addresses, suggesting highly targeted operations coinciding with recent geopolitical tensions between Thailand and Cambodia.
The malware’s selective activation mechanism reflects the group’s sophisticated operational security and desire to minimize exposure while maximizing impact against specific targets.
IBM analysts identified these malware variants through a comprehensive analysis of weaponized archives uploaded from Singapore and Thailand throughout mid-2025.
The researchers discovered that SnakeDisk shares significant code overlaps with previous Tonedisk variants while introducing enhanced evasion techniques and air-gap penetration capabilities.
The USB worm’s deployment alongside the Yokai backdoor indicates a multi-stage infection strategy designed to establish persistent access across isolated network environments.
The threat actor’s operational methodology involves distributing weaponized archives through cloud storage platforms like Box, often disguised as legitimate documents from government agencies.
These archives contain trojanized software that sideloads malicious DLLs, initiating the infection chain. Once established, the malware establishes persistence through scheduled tasks and registry modifications, ensuring continued access even after system reboots.
.webp "Mustang Panda With SnakeDisk USB Worm and Toneshell Backdoor Seeking to Penetrate Air-Gap Systems 3")
PDF containing download link for weaponized archive deploying Toneshell7 (Source – IBM)
The emergence of these tools coincides with escalating border conflicts between Thailand and Cambodia, suggesting state-sponsored motivations behind the campaign.
Mustang Panda’s ability to develop geographically-targeted malware demonstrates their advanced technical capabilities and strategic intelligence gathering operations.
Advanced USB Propagation and Air-Gap Penetration Mechanisms
SnakeDisk employs sophisticated techniques to weaponize USB devices and penetrate air-gapped systems.
The malware begins execution by parsing a configuration file using a custom two-phase XOR decryption algorithm with a 320-byte key.
This configuration contains 18 string values that define the worm’s operational parameters, including directory structures, file names, and persistence mechanisms.
The USB infection process starts with comprehensive device detection using the Windows API IOCTL_STORAGE_GET_HOTPLUG_INFO to identify removable storage devices.
Upon detecting a USB drive, SnakeDisk creates a sophisticated file structure that hides the user’s original files within subdirectories while placing a weaponized executable in the root directory.
The malware uses both SHFileOperationW and robocopy commands to relocate existing files, as demonstrated in the following operation:
robocopy : : /XD ":" /XF ":" /E /MOVE This process creates multiple hidden directories with SYSTEM and HIDDEN attributes, effectively concealing the malicious infrastructure while maintaining the appearance of a normal USB device.
The worm establishes a Windows message loop to monitor for WM_DEVICECHANGE events, enabling real-time detection of USB insertion and removal events.
When a device is removed, SnakeDisk triggers payload execution, dropping the Yokai backdoor into the C:UsersPublic directory through a series of concatenated encrypted files that reconstruct the final malicious executable upon deployment.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
