The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk.
“The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week.
The tech giant’s cybersecurity division is tracking the cluster under the name Hive0154, which is also broadly referred to as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Typhoon. The state-sponsored threat actor is believed to have been active since at least 2012.
TONESHELL was first publicly documented by Trend Micro way back in November 2022 as part of cyber attacks targeting Myanmar, Australia, the Philippines, Japan, and Taiwan between May and October. Typically executed via DLL side-loading, its primary responsibility is to download next-stage payloads on the infected host.
Typical attack chains involve the use of spear-phishing emails to drop malware families like PUBLOAD or TONESHELL. PUBLOAD, which also functions similarly to TONESHELL, is also capable of downloading shellcode payloads via HTTP POST requests from a command-and-control (C2) server.
The newly identified TONESHELL variants, named TONESHELL8 and TONESHELL9 by IBM X-Force, support C2 communication through locally configured proxy servers to blend in with enterprise network traffic and facilitate two active reverse shells in parallel. It also incorporates junk code copied from OpenAI’s ChatGPT website within the malware’s functions to evade static detection and resist analysis.
Also launched using DLL side-loading is a new USB worm called SnakeDisk that shares overlaps with TONEDISK (aka WispRider), another USB worm framework under the TONESHELL family. It’s mainly used to detect new and existing USB devices connected to the host, using it as a means of propagation.
Specifically, it moves the existing files on the USB into a new sub-directory, effectively tricking the victim to click on the malicious payload on a new machine by setting its name to the volume name of the USB device, or “USB.exe.” Once the malware is launched, the files are copied back to their original location.
A notable aspect of the malware is that it’s geofenced to execute only on public IP addresses geolocated to Thailand. SnakeDisk also serves as a conduit to drop Yokai, a backdoor that sets up a reverse shell to execute arbitrary commands. It was previously detailed by Netskope in December 2024 in intrusions targeting Thai officials.
“Yokai shows overlaps with other backdoor families attributed to Hive0154, such as PUBLOAD/PUBSHELL and TONESHELL,” IBM said. “Although those families are clearly separate pieces of malware, they roughly follow the same structure and use similar techniques to establish a reverse shell with their C2 server.”
The use of SnakeDisk and Yokai likely points to a sub-group within Mustang Panda that’s hyper-focused on Thailand, while also underscoring the continued evolution and refinement of the threat actor’s arsenal.
“Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles,” the company concluded. “This group appears to maintain a considerably large malware ecosystem with frequent overlaps in both malicious code, techniques used during attacks, as well as targeting.”
