Sep 15, 2025Ravie LakshmananMalware / Community Safety
The China-aligned risk actor often called Mustang Panda has been noticed utilizing an up to date model of a backdoor referred to as TONESHELL and a beforehand undocumented USB worm referred to as SnakeDisk.
“The worm solely executes on gadgets with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Pressure researchers Golo Mühr and Joshua Chung mentioned in an evaluation printed final week.
The tech large’s cybersecurity division is monitoring the cluster beneath the identify Hive0154, which can also be broadly known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Hurricane. The state-sponsored risk actor is believed to have been energetic since no less than 2012.
TONESHELL was first publicly documented by Pattern Micro manner again in November 2022 as a part of cyber assaults concentrating on Myanmar, Australia, the Philippines, Japan, and Taiwan between Might and October. Sometimes executed by way of DLL side-loading, its major accountability is to obtain next-stage payloads on the contaminated host.
Typical assault chains contain using spear-phishing emails to drop malware households like PUBLOAD or TONESHELL. PUBLOAD, which additionally capabilities equally to TONESHELL, can also be able to downloading shellcode payloads by way of HTTP POST requests from a command-and-control (C2) server.
The newly recognized TONESHELL variants, named TONESHELL8 and TONESHELL9 by IBM X-Pressure, assist C2 communication by regionally configured proxy servers to mix in with enterprise community visitors and facilitate two energetic reverse shells in parallel. It additionally incorporates junk code copied from OpenAI’s ChatGPT web site inside the malware’s capabilities to evade static detection and resist evaluation.
Additionally launched utilizing DLL side-loading is a brand new USB worm referred to as SnakeDisk that shares overlaps with TONEDISK (aka WispRider), one other USB worm framework beneath the TONESHELL household. It is primarily used to detect new and present USB gadgets linked to the host, utilizing it as a way of propagation.
Particularly, it strikes the present information on the USB into a brand new sub-directory, successfully tricking the sufferer to click on on the malicious payload on a brand new machine by setting its identify to the quantity identify of the USB machine, or “USB.exe.” As soon as the malware is launched, the information are copied again to their authentic location.
A notable side of the malware is that it is geofenced to execute solely on public IP addresses geolocated to Thailand. SnakeDisk additionally serves as a conduit to drop Yokai, a backdoor that units up a reverse shell to execute arbitrary instructions. It was beforehand detailed by Netskope in December 2024 in intrusions concentrating on Thai officers.
“Yokai exhibits overlaps with different backdoor households attributed to Hive0154, reminiscent of PUBLOAD/PUBSHELL and TONESHELL,” IBM mentioned. “Though these households are clearly separate items of malware, they roughly comply with the identical construction and use related methods to determine a reverse shell with their C2 server.”
Using SnakeDisk and Yokai probably factors to a sub-group inside Mustang Panda that is hyper-focused on Thailand, whereas additionally underscoring the continued evolution and refinement of the risk actor’s arsenal.
“Hive0154 stays a extremely succesful risk actor with a number of energetic subclusters and frequent growth cycles,” the corporate concluded. “This group seems to keep up a significantly massive malware ecosystem with frequent overlaps in each malicious code, methods used throughout assaults, in addition to concentrating on.”
