## TL;DR
The China-linked APT group Mustang Panda (also known as Hive0154, Camaro Dragon, or RedDelta) has been observed deploying a new USB worm named SnakeDisk alongside an updated version of the TONESHELL backdoor. This campaign specifically targets Thai government networks, exploiting recent geopolitical tensions between Thailand and Cambodia. SnakeDisk spreads via infected USB drives, drops the Yokai backdoor, and establishes reverse shells for remote command execution. The attack highlights the group's evolving tactics and the growing threat of USB-based malware in cyber espionage.
## Introduction
China-linked Advanced Persistent Threat (APT) group Mustang Panda has expanded its cyber arsenal with the deployment of SnakeDisk, a sophisticated USB worm, and an upgraded version of the TONESHELL backdoor. This campaign, discovered in mid-2025, targets Thai government networks and leverages geopolitical tensions in the region. The group's latest tools demonstrate a high level of adaptability, combining USB-based propagation with advanced backdoor capabilities to evade detection and maintain persistence.
Mustang Panda, active since at least 2012, has a history of targeting government organizations, NGOs, think tanks, and religious institutions across Asia, Europe, and the United States. Their recent activities underscore the group's ongoing refinement of malware and exploitation of geopolitical conflicts to achieve strategic objectives.
## Who Is Mustang Panda?
Mustang Panda, also known as Hive0154, Camaro Dragon, RedDelta, or Bronze President, is a China-linked APT group with a long history of cyber espionage. Since its emergence, the group has targeted:
- Government organizations in the U.S. and Europe,
- Think tanks and NGOs,
- Religious institutions, including Catholic organizations at the Vatican,
- Asian countries, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar.
In 2022, Mustang Panda exploited European Union reports on the Ukraine conflict and Ukrainian government documents as lures to deploy malware. Their campaigns often use phishing emails and weaponized documents to initiate infections.
## The SnakeDisk USB Worm: A New Threat
In mid-2025, IBM X-Force researchers identified SnakeDisk, a previously undocumented USB worm employed by Mustang Panda. This malware specifically targets devices in Thailand, as determined by their public IP address. SnakeDisk operates by:
- Infecting USB Drives: The worm spreads via removable USB drives, hiding malicious files in a hidden folder while masquerading as legitimate files.
- Dropping the Yokai Backdoor: Once executed, SnakeDisk deploys the Yokai backdoor, which establishes a reverse shell for remote command execution.
- Geographic Targeting: SnakeDisk verifies the victim's location by querying
http://ipinfo.io/jsonand proceeds only if the device is in Thailand (country codes: THA or TH).
### How SnakeDisk Operates
SnakeDisk employs several evasion and persistence techniques:
- DLL Sideloading: The worm uses DLL sideloading to execute malicious code alongside legitimate applications.
- Configuration File Validation: It searches for a configuration file in its parent directory, validates it using size and CRC32 checks, and decrypts it with a two-phase XOR routine.
- USB Infection Routine: When a USB drive is detected, SnakeDisk:
- Moves all files into a hidden folder,
- Replaces them with a malicious executable disguised as the USB's volume name,
- Restores the original files after execution to hide its tracks.
- Persistence Mechanisms: The Yokai backdoor ensures persistence via scheduled tasks and maintains communication with a hardcoded Command & Control (C2) server.
## Connection to Geopolitical Tensions
The deployment of SnakeDisk coincides with escalating tensions between Thailand and Cambodia in mid-2025. Key events include:
- Border Clashes: Artillery exchanges, airstrikes, and naval engagements between the two nations.
- Political Instability: A leaked call led to the ouster of Thailand's Prime Minister.
- Assassination Allegations: Cambodia accused Thailand of plotting an assassination, further straining relations.
Given China's alignment with Cambodia, cybersecurity experts speculate that Mustang Panda exploited this crisis to target Thai government networks and gather intelligence.
## Technical Overlaps with Previous Campaigns
SnakeDisk shares technical similarities with earlier Mustang Panda malware:
- Toneshell9 Backdoor: Like SnakeDisk, Toneshell9 uses DLL sideloading and reverse shells to maintain access.
- Yokai Backdoor: Previously linked to Thailand-targeted campaigns in late 2024, Yokai shares code overlaps with Toneshell and Pubload malware families.
- Propagation Techniques: SnakeDisk's USB-based spreading mechanism mirrors earlier variants like Tonedisk.
IBM X-Force researchers noted:
> "Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles. China-aligned groups like Hive0154 will continue to refine their large malware arsenal and target public and private organizations worldwide."
## Why This Matters
The emergence of SnakeDisk highlights several critical trends in cybersecurity:
- USB-Based Malware Resurgence: Attackers are increasingly leveraging removable media to bypass network defenses.
- Geopolitical Cyber Espionage: APT groups like Mustang Panda are exploiting regional conflicts to conduct targeted attacks.
- Evolving Evasion Techniques: The use of DLL sideloading, IP-based targeting, and hidden folders demonstrates the group's sophistication in evading detection.
Organizations, particularly in government and critical infrastructure sectors, must:
- Monitor USB device usage,
- Implement strict access controls,
- Deploy advanced threat detection to mitigate such risks.
## Conclusion
Mustang Panda's deployment of the SnakeDisk USB worm and the updated TONESHELL backdoor marks a significant escalation in cyber espionage tactics. By targeting Thai government networks amid geopolitical tensions, the group demonstrates its ability to adapt and exploit real-world events for strategic advantage.
As USB-based malware continues to evolve, organizations must strengthen their defenses against such threats. The discovery of SnakeDisk serves as a critical reminder of the importance of proactive cybersecurity measures in an era of increasingly sophisticated APT campaigns.
## Additional Resources
For further insights, explore these authoritative sources:
- IBM X-Force Report: Hive0154 Drops Updated Toneshell Backdoor
- Netskope: Yokai Backdoor Targets Thai Officials
- Trend Micro: Mustang Panda's Latest Campaigns
- CISA Alert: TA17-117A