SnakeDisk USB Worm
The China-aligned threat actor known as Mustang Panda has rolled out new tools in its cyber-espionage campaigns. Researchers have recently documented the use of an upgraded TONESHELL backdoor alongside a previously unknown USB worm dubbed SnakeDisk. Both additions reinforce the group’s reputation as one of the most persistent state-sponsored adversaries.
Table of Contents
Who Is Behind the Attacks?
Cybersecurity experts are monitoring this activity under the cluster Hive0154, an umbrella name tied to Mustang Panda. This cluster is also known by several aliases, including BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Typhoon.
Evidence indicates that Mustang Panda has been active since at least 2012, carrying out espionage-focused operations on behalf of Chinese state interests.
SnakeDisk: A Stealthy USB Worm
SnakeDisk is a newly identified worm that spreads through DLL side-loading. It belongs to the TONESHELL malware family and shows clear overlaps with another USB worm framework, TONEDISK (aka WispRider).
Its main capabilities include:
- Monitoring connected USB devices for propagation opportunities.
- Moving existing USB files into a hidden subdirectory, then replacing them with a malicious executable disguised as the device’s volume name or simply USB.exe.
- Restoring the original files once the malware is triggered on a new system, reducing suspicion.
A striking feature is its geofencing: SnakeDisk only executes on devices with Thailand-based IP addresses, narrowing its targeting scope.
Yokai: The Backdoor Delivered by SnakeDisk
SnakeDisk acts as a delivery mechanism for Yokai, a backdoor that sets up a reverse shell to run arbitrary commands. First reported in December 2024, Yokai was linked to campaigns against Thai officials.
The malware shares technical similarities with other backdoor families attributed to Hive0154, including PUBLOAD/PUBSHELL and TONESHELL. While separate strains, these families use comparable structures and techniques to communicate with command-and-control (C2) servers.
Strategic Focus on Thailand
The targeting rules built into SnakeDisk and the deployment of Yokai strongly suggest that a Mustang Panda subgroup is concentrating heavily on Thailand. This points to a refined strategy and tailored operations in Southeast Asia.
A Vast and Evolving Malware Ecosystem
Hive0154 stands out for its ability to maintain a large, interconnected malware ecosystem. Its operations demonstrate:
- Frequent overlaps in malicious code and attack techniques.
- Ongoing experimentation with subclusters and specialized malware.
- A consistent pace of development cycles, highlighting adaptability.
Mustang Panda’s evolving arsenal underscores the threat actor’s long-term commitment to advancing its espionage capabilities while sharpening its regional focus.
