IBM X-Force researchers have uncovered sophisticated new malware campaigns orchestrated by the China-aligned threat actor Hive0154, also known as Mustang Panda.
The discovery includes an advanced Toneshell backdoor variant that evades detection systems and a novel USB worm called SnakeDisk specifically targeting Thailand-based devices.
Enhanced Toneshell Backdoor Evades Detection
The latest iteration of Toneshell, dubbed Toneshell9, represents a significant advancement in the threat actor’s capabilities.
This updated variant introduces proxy communication features that allow the malware to blend seamlessly with legitimate enterprise network traffic by utilizing locally configured proxy servers.
Key Technical Features:
- Dual reverse shell functionality enabling simultaneous command execution streams.
- Proxy-aware communication to bypass enterprise egress filtering.
- Enhanced evasion techniques including junk code injection with ChatGPT-sourced strings.
- Custom encryption methods using modified pseudo-random number generators.
Toneshell9 establishes persistence through DLL sideloading techniques and maintains command-and-control communication by disguising traffic as TLS 1.2 Application Data packets.
The malware creates a sophisticated client object capable of managing multiple C2 servers, proxy configurations, and encryption keys simultaneously.
Its ability to enumerate Windows registry hives for proxy settings demonstrates the group’s deep understanding of enterprise network architectures.
SnakeDisk Worm Hits Thailand
The newly identified SnakeDisk USB worm showcases Hive0154’s targeted approach to cyber espionage operations.
This malware specifically checks for Thailand-based IP addresses before executing, suggesting a strategic focus on Thai government and organizational networks during heightened regional tensions.
Operational Characteristics:
- Geolocation-based execution limited to Thailand IP addresses.
- USB propagation mechanism infecting removable storage devices.
- Yokai backdoor deployment establishing persistent remote access.
- File hiding capabilities masking legitimate USB contents to avoid detection.
The timing of SnakeDisk’s deployment coincides with escalating Thailand-Cambodia border disputes and diplomatic tensions throughout 2025.
The worm’s sophisticated USB infection mechanism suggests attempts to penetrate air-gapped systems commonly employed in sensitive government environments.
When triggered, SnakeDisk drops the Yokai backdoor, previously linked to campaigns against Thai officials in December 2024.
Expanding Chinese Cyber Operations
Security researchers attribute this activity to Hive0154, a well-established China-aligned threat group that operates multiple subclusters targeting government agencies, think tanks, and private organizations across East Asia.
The group’s arsenal includes numerous custom malware loaders, backdoors, and USB worm families, demonstrating advanced development capabilities.
The discovery of weaponized archives uploaded from Singapore and Thailand throughout mid-2025 indicates sustained targeting of Southeast Asian entities.
These campaigns have utilized social engineering lures impersonating government communications, including fake Myanmar Ministry of Foreign Affairs documents distributed through cloud storage platforms like Box and Google Drive.
IBM X-Force assesses that China’s strategic interests in the region, particularly regarding Cambodia as a key ally, may have provided motivation for intensified operations against Thailand.
The deployment of geographically-restricted malware suggests a calculated approach to intelligence collection during a period of regional instability.
Organizations in the targeted regions should implement enhanced security measures including monitoring for suspicious USB devices, detecting TLS traffic without proper handshakes, and scrutinizing cloud storage download links in official communications.
The sophisticated nature of these tools indicates Hive0154’s continued evolution as a significant cyber threat to regional stability and organizational security.
Indicators of Compromise (IoCs):
| Indicator | Indicator Type | Context |
|---|---|---|
| f8b28cae687bd55a148d363d58f13a797486f12221f0e0d080ffb53611d54231 | SHA256 | Weaponized archive delivering Toneshell8 |
| 8132beeb25ce7baed0b561922d264b2a9852957df7b6a3daacfbb3a969485c79 | SHA256 | Weaponized archive delivering Toneshell8 |
| d1466dca25e28f0b7fae71d5c2abc07b397037a9e674f38602690e96cc5b2bd4 | SHA256 | Weaponized archive delivering Toneshell8 |
| 1272a0853651069ed4dc505007e8525f99e1454f9e033bcc2e58d60fdafa4f02 | SHA256 | Weaponized archive delivering Toneshell8 |
| b8c31b8d8af9e6eae15f30019e39c52b1a53aa1c8b0c93c8d075254ed10d8dfc | SHA256 | Weaponized archive delivering Toneshell7 |
| 7087e84f69c47910fd39c3869a706e55324783af8d03465a9e7bfde52fe4d1d6 | SHA256 | Weaponized archive delivering Pubload |
| 38fcd10100f1bfd75f8dc0883b0c2cb48321ef1c57906798a422f2a2de17d50c | SHA256 | Weaponized archive delivering Pubload |
| 69cb87b2d8ee50f46dae791b5a0c5735a7554cc3c21bb1d989baa0f38c45085c | SHA256 | PDF containing download URL for weaponized archive |
| 564a03763879aaed4da8a8c1d6067f4112d8e13bb46c2f80e0fcb9ffdd40384c | SHA256 | Loader injecting Toneshell7 |
| e4bb60d899699fd84126f9fa0dff72314610c56fffca3d11f3b6fc93fcb75e00 | SHA256 | Loader injecting Pubload |
| c2d1ff85e9bb8feb14fd015dceee166c2e52e2226c07e23acc348815c0eb4608 | SHA256 | Loader injecting Pubload |
| 188.208.141[.]196 | IPv4 | Pubload C2 server |
| bdbc936ddc9234385317c4ee83bda087e389235c4a182736fc597565042f7644 | SHA256 | Toneshell8 backdoor |
| f0fec3b271b83e23ed7965198f3b00eece45bd836bf10c038e9910675bafefb1 | SHA256 | Toneshell8 backdoor |
| e7b29611c789a6225aebbc9fee3710a57b51537693cb2ec16e2177c22392b546 | SHA256 | Toneshell8 backdoor |
| 9ca5b2cbc3677a5967c448d9d21eb56956898ccd08c06b372c6471fb68d37d7d | SHA256 | Toneshell8 backdoor |
| 146.70.29[.]229 | IPv4 | Toneshell7/Toneshell8 C2 server |
| 318a1ebc0692d1d012d20d306d6634b196cc387b1f4bc38f97dd437f117c7e20 | SHA256 | Toneshell9 backdoor |
| 0d632a8f6dd69566ad98db56e53c8f16286a59ea2bea81c2761d43b6ab4ecafd | SHA256 | Weaponized archive delivering Toneshell9 |
| 39e7bbcceddd16f6c4f2fc2335a50c534e182669cb5fa90cbe29e49ec6dfd0df | SHA256 | Weaponized archive delivering Toneshell9 |
| 05eb6a06b404b6340960d7a6cf6b1293e706ce00d7cba9a8b72b3780298dc25d | SHA256 | Loader containing Toneshell fork (basis for Toneshell9) |
| 123.253.34[.]44 | IPv4 | Toneshell9 C2 server |
| www.slickvpn[.]com | Domain | Toneshell9 C2 server |
| dd694aaf44731da313e4594d6ca34a6b8e0fcce505e39f8273b9242fdf6220e0 | SHA256 | SnakeDisk USB worm |
| bb5bb82e5caf7d4dbbe878b75b23f793a5f3c5ca6dba70d8be447e8c004d26ce | SHA256 | SnakeDisk’s benign EXE payload used for DLL sideloading Yokai |
| 35bec1d8699d29c27b66e5646e58d25ce85ea1e41481d048bcea89ea94f8fb4b | SHA256 | Yokai backdoor DLL |
| http://118.174.183[.]89/kptinfo/import/index.php | URL | Yokai C2 server |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
