China-linked Mustang Panda deploys advanced SnakeDisk USB worm
September 16, 2025
China-linked APT group Mustang Panda has been spotted using a new USB worm called SnakeDisk along with a new version of known malware
China-linked APT group Mustang Panda (aka Hive0154, Camaro Dragon, RedDelta or Bronze President) has been spotted using an updated version of the TONESHELL backdoor and a previously undocumented USB worm called SnakeDisk.
Mustang Panda has been active since at least 2012, targeting American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In the 2022 campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.
In February 2024, Trend Micro researchers observed the group targeting Asian countries, including Taiwan, Vietnam, and Malaysia. In April 2025, the APT group Mustang Panda deployed a new custom backdoor, named MQsTTang, in attacks targeting Europe, Asia, and Australia.
In mid-2025, IBM X-Force observed Toneshell and Pubload malware spreading through weaponized archives mainly uploaded from Singapore and Thailand. The newest version, Toneshell9, was undetected by VirusTotal scans, it used local proxies to hide inside enterprise traffic, and ran two reverse shells at once. X-Force researchers also observed SnakeDisk, a USB worm that was only employed in attacks against devices in Thailand. SnakeDisk infected drives, spread through them, and dropped the Yokai backdoor, which opened a reverse shell for attackers. Yokai had already been linked to attacks on Thai officials in late 2024.
“In mid-August, X-Force also discovered SnakeDisk, a new USB worm sharing overlap with previous Tonedisk variants. The worm only executes on devices located in Thailand as determined by their public IP address.” reads the report published by IBM X-Force. “SnakeDisk distributes the Yokai backdoor, which was publicly linked to several other Thailand-targeted campaigns by Netskope in December 2024.”
The new USB worm using the Yokai backdoor appears linked to recent geopolitical tensions involving Thailand.
In mid-2025, border clashes erupted between Thailand and Cambodia, escalating with artillery, airstrikes, and naval fire. A leaked call toppled Thailand’s PM, and tensions peaked with Cambodia accusing Thailand of plotting an assassination. With China backing Cambodia, Hive0154 likely exploited the crisis, deploying SnakeDisk to target Thai government networks.
In August 2025 X-Force found a SnakeDisk uploaded from Thailand as a 32-bit DLL named “01.dat.” It mirrors Toneshell9 by using DLL sideloading, nearly identical API resolution, and two execution modes: “-Embedding” (infect USB on removal, then run embedded payload) and “-hope” (drop and run immediately).
SnakeDisk looks for a configuration file in its parent directory, validates candidates by size and CRC32, then decrypts the selected file with a two-phase XOR routine and parses 18 config values that control USB paths, filenames, and persistence options. The researchers noticed that the malicious code only targets Thailand. Before activating its USB routines, the worm calls http://ipinfo.io/json and proceeds only if the machine reports its country as Thailand (“THA” or “TH”) and it enforces single-instance execution via a mutex derived from the config.
SnakeDisk scans drive letters to find hotplug USBs. When it finds one, it spawns a thread and checks for previous infections, updating only older versions. It moves all USB files into a hidden folder, making users more likely to click the newly dropped malicious executable, which masquerades as the USB’s volume name. After launching, it puts the original files back, hiding its tracks.
When SnakeDisk detects a USB device removal or starts with the “-hope” argument, it checks a marker file to see if the system is already infected; if so, it exits. Otherwise, it builds its payloads in memory, decrypts them with XOR, and writes multiple files to C:UsersPublic. These files are combined into two final payloads, a DLL and an executable with a random name. It deletes the original files, then runs the EXE with a project-mod argument. The EXE is a signed app that sideloads the malicious DLL, activating SnakeDisk’s core functionality.
The Yokai DLL backdoor dropped by SnakeDisk checks for “-project-mod” and establishes persistence via a scheduled task for non-admins. It creates a mutex and loads its config, using version string “1.0.0”. The backdoor connects to a hardcoded C2 via POST requests, sending encrypted data. Yokai opens a reverse shell through anonymous pipes, allowing its operators to execute arbitrary commands. Yokai shares technical overlaps with other Hive0154 backdoor families like Toneshell and Pubload, and closely matches Tonedisk’s propagation, configuration, and sideload technique. The researchers pointed out that subclusters commonly reuse and share code across worm and backdoor families.
“Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles. X-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large malware arsenal and target public and private organizations worldwide.” concludes the report. “The malware discussed in the report above is likely still in early development, allowing defenders to adopt detection mechanisms before their widespread use.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, SnakeDisk)
