Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SnakeDisk USB worm drops Yokai on Thailand IPs

Malware Activity
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

The SnakeDisk USB worm now adds a geofenced propagation path that can drop the Yokai backdoor on hosts with Thailand-based IPs, increasing the risk of localized compromise. It is launched with DLL side-loading and uses attached USB devices to spread. The malware also tricks users with a fake USB.exe filename to encourage execution on a new machine. The surrounding toolkit includes TONESHELL variants that continue to evolve alongside the worm/backdoor chain.

Related Happenings

LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing

Malware Activity
First: 16.01.2026 12:27 Last: 16.01.2026 12:27 Sources 1

About this happening: The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...

Open Happening

GOVERSHELL backdoor delivered through malicious archives and DLL side-loading

Malware Activity
First: 09.10.2025 20:19 Last: 09.10.2025 20:19 Sources 1

About this happening: The **GOVERSHELL** backdoor is being delivered through **ZIP and RAR archives** that launch a rogue DLL via **DLL side-loading**, creating a live Windows malware threat for target...

Open Happening

Bookworm malware used by Mustang Panda since 2015

Malware Activity
First: 27.09.2025 15:06 Last: 27.09.2025 15:06 Sources 1

About this happening: The long-running **Bookworm** malware used by **Mustang Panda** remains a serious threat because it can maintain control over **compromised systems**. It supports **arbitrary comm...

Open Happening

PlugX/SOGU.SEC in-memory deployment via STATICPLUGIN

Malware Activity
First: 25.08.2025 21:11 Last: 25.08.2025 21:11 Sources 1

About this happening: **UNC6384** used **September-October 2025** spear-phishing to target **European diplomatic and government entities** in **Hungary, Belgium, Italy, the Netherlands, and Serbia** wi...

Latest development: 31.10.2025 15:57

Arctic Wolf said UNC6384 targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, along with government agencies in Serbia, with spear-phishing emails that delivered malicious LNK files abusing ZDI-CAN-25373/CVE-2025-9491. The chain launched PowerShell to decode and extract a TAR archive, displayed a decoy PDF, sideloaded CanonStager through a legitimate Canon printer assistant utility, and loaded the encrypted PlugX payload cnmplog.dat; an early-September HTA variant also retrieved payloads from cloudfront[.]net.

Open Happening

PipeMagic modular backdoor and loader activity

Malware Activity
First: 18.08.2025 19:03 Last: 18.08.2025 19:03 Sources 1

About this happening: The **PipeMagic** malware remains active in **RansomExx**-linked intrusions, with 2025 variants used to gain **remote access**, run commands, and support **persistence** and **lat...

Open Happening

Timeline

  1. 15.09.2025 21:45 2 articles · 8mo ago

    Mustang Panda SnakeDisk USB worm drops Yokai on Thailand IPs

    Initial Disclosure

    Mustang Panda, tracked by IBM X-Force as Hive0154, is using the SnakeDisk USB worm with DLL side-loading to propagate through connected USB devices, move existing files into a new sub-directory, and lure execution with a fake USB.exe name. SnakeDisk is geofenced to public IP addresses geolocated to Thailand and can drop the Yokai backdoor, which establishes a reverse shell for arbitrary commands. The surrounding malware set also includes updated TONESHELL variants that use proxy-based C2 communication and parallel reverse shells.

    Show sources
    Open in new tab