Mustang Panda targets Thailand with Yokai backdoor via SnakeDisk USB worm
Summary
Hide ▲
Show ▼
Mustang Panda, a China-aligned threat actor, has deployed an updated version of the TONESHELL backdoor and a new USB worm called SnakeDisk. The worm targets devices with Thailand-based IP addresses to deliver the Yokai backdoor. Mustang Panda, also known as Hive0154, has been active since at least 2012 and is known for its sophisticated attack chains involving spear-phishing and multiple malware families. The Yokai backdoor sets up a reverse shell to execute arbitrary commands. The new TONESHELL variants, TONESHELL8 and TONESHELL9, use locally configured proxy servers for C2 communication and incorporate junk code to evade detection. SnakeDisk propagates via USB devices and is geofenced to execute only in Thailand. The use of SnakeDisk and Yokai indicates a sub-group within Mustang Panda focused on Thailand.
Timeline
-
15.09.2025 21:45 1 articles · 14d ago
Mustang Panda deploys SnakeDisk USB worm to deliver Yokai backdoor on Thailand IPs
Mustang Panda, also known as Hive0154, has been observed using an updated version of the TONESHELL backdoor and a new USB worm called SnakeDisk. The worm targets devices with Thailand-based IP addresses to deliver the Yokai backdoor. The new TONESHELL variants, TONESHELL8 and TONESHELL9, use locally configured proxy servers for C2 communication and incorporate junk code to evade detection. SnakeDisk propagates via USB devices and is geofenced to execute only in Thailand.
Show sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
Information Snippets
-
Mustang Panda, also known as Hive0154, has been active since at least 2012.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
TONESHELL was first documented in November 2022, targeting multiple countries in Asia and the Pacific.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
TONESHELL8 and TONESHELL9 support C2 communication through locally configured proxy servers.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
TONESHELL8 and TONESHELL9 incorporate junk code from OpenAI's ChatGPT to evade static detection.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
SnakeDisk is a USB worm that propagates by moving files on USB devices and renaming malicious payloads.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
SnakeDisk is geofenced to execute only on devices with Thailand-based IP addresses.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
Yokai backdoor sets up a reverse shell to execute arbitrary commands.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45
-
Yokai was previously detailed in December 2024 in intrusions targeting Thai officials.
First reported: 15.09.2025 21:451 source, 1 articleShow sources
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs — thehackernews.com — 15.09.2025 21:45