Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs

First reported

15.09.2025 21:45

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

Mustang Panda, a China-aligned threat actor, has been observed using an updated version of the TONESHELL backdoor and a new USB worm called SnakeDisk. The worm targets devices with Thailand-based IP addresses and delivers the Yokai backdoor. The threat actor, tracked as Hive0154, has been active since at least 2012 and is known for sophisticated cyber operations. The updated TONESHELL variants, TONESHELL8 and TONESHELL9, support C2 communication through proxy servers and incorporate junk code to evade detection. SnakeDisk, which shares similarities with TONEDISK, propagates via USB devices and drops the Yokai backdoor on targeted systems. The Yokai backdoor establishes a reverse shell to execute arbitrary commands. This activity highlights Mustang Panda's continued evolution and focus on specific geographic targets, particularly Thailand.

Timeline

15.09.2025 21:45 📰 1 articles · ⏱ 1h ago

Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs
Mustang Panda, a China-aligned threat actor, has been observed using an updated version of the TONESHELL backdoor and a new USB worm called SnakeDisk. The worm targets devices with Thailand-based IP addresses and delivers the Yokai backdoor. The updated TONESHELL variants, TONESHELL8 and TONESHELL9, support C2 communication through proxy servers and incorporate junk code to evade detection. SnakeDisk propagates via USB devices and drops the Yokai backdoor, which establishes a reverse shell to execute arbitrary commands.
Show sources

Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
Open in new tab

Information Snippets

Mustang Panda, also known as Hive0154, has been active since at least 2012.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
TONESHELL was first documented in November 2022, targeting Myanmar, Australia, the Philippines, Japan, and Taiwan.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
TONESHELL8 and TONESHELL9 support C2 communication through proxy servers and incorporate junk code to evade detection.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
SnakeDisk is a new USB worm that propagates via USB devices and drops the Yokai backdoor.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
Yokai backdoor establishes a reverse shell to execute arbitrary commands.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
SnakeDisk is geofenced to execute only on devices with Thailand-based IP addresses.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
Mustang Panda's operations indicate a sub-group focused on Thailand.
First reported: 15.09.2025 21:45

📰 1 source, 1 article
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45