Mustang Panda’s New Thailand-Focused USB Worm “SnakeDisk” Drops Yokai Backdoor: What Security Teams Need to Know

Plug in a USB drive. Your files are still there. Everything looks normal. But under the hood, a stealthy USB worm has already moved your data, planted a look‑alike executable, and is waiting to execute—only if your public IP says “Thailand.”

That’s the unsettling twist in Mustang Panda’s latest campaign. The China‑aligned group—tracked by IBM X‑Force as Hive0154 and widely known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Typhoon—is wielding a previously undocumented USB worm dubbed SnakeDisk to deliver a new backdoor called Yokai. Alongside it, the group is iterating on its long‑running TONESHELL malware, shipping new variants (TONESHELL8 and TONESHELL9) with more resilient command‑and‑control (C2) features and clever detection evasion tricks.

If you operate in Thailand or engage with Thai entities, this matters. Here’s the full breakdown—how the attack works, what’s new, why Thailand is in the crosshairs, and what to do about it now.

Note: The details summarized here are based on analysis by IBM X‑Force researchers and prior reporting from Trend Micro and Netskope. For original research, see IBM Security Intelligence, Trend Micro Research, and Netskope Threat Labs.

At a glance: The campaign in one minute

• Threat actor: Mustang Panda (Hive0154), active since at least 2012, targeting government and policy sectors across APAC and beyond. See MITRE ATT&CK: Mustang Panda (G0129).
• New tools:
• SnakeDisk: A USB worm that only executes on devices with public IPs geolocated to Thailand, then drops the Yokai backdoor.
• Yokai: A backdoor that sets up a reverse shell for command execution, overlapping with the group’s PUBLOAD/PUBSHELL and TONESHELL families.
• TONESHELL8/9: Updated TONESHELL variants that speak to C2 via local proxies and can maintain two active reverse shells in parallel. One variant includes “junk code” lifted from the ChatGPT site to evade static detection.
• Attack path: Spear‑phishing emails → DLL side‑loading of malware loader → TONESHELL / PUBLOAD stage → SnakeDisk USB propagation + geofenced execution → Yokai backdoor and interactive access.
• Why this is notable: The group is blending social engineering, “living off the land” side‑loading, USB propagation, enterprise proxy‑aware C2, and geo‑fencing to Thailand—an unusually specific target profile that suggests a dedicated sub‑cluster focused on Thai entities.

Who is Mustang Panda (aka Hive0154)?

Mustang Panda is a prolific China‑aligned threat actor known for long‑running espionage campaigns in Asia and beyond. They favor spear‑phishing, malware staged via DLL side‑loading, and families like TONESHELL and PUBLOAD to gain and maintain access.

• Typical targets: Government agencies, foreign policy think tanks, NGOs, telecoms, and entities linked to regional affairs in Southeast Asia.
• Typical tactics: Social engineering with document lures, side‑loading signed or legitimate binaries to execute malicious DLLs, proxy‑aware C2 traffic that blends into corporate networks, and modular backdoors with reverse shell capabilities.
• For background and TTP mapping, see MITRE ATT&CK: Mustang Panda (G0129).

How this attack works (end‑to‑end)

Let’s break down the flow. Think of it as a chain of dominoes—each stage sets up the next.

1. Spear‑phishing: The group sends targeted emails with attachments or links leading to lure documents and a bundle of files designed to set up DLL side‑loading.
2. DLL side‑loading: A legitimate executable (often a known, signed app) loads a malicious DLL placed in the same folder. Because Windows follows a predictable DLL search path, the Trojan DLL gets executed by the trusted app. Learn more about DLL side‑loading: MITRE ATT&CK T1574.002 and Microsoft’s DLL search order.
3. TONESHELL or PUBLOAD loader: The side‑loaded DLL executes TONESHELL or PUBLOAD, which fetches next‑stage payloads from C2 and can establish reverse shell access.
4. SnakeDisk propagation: In environments where USB drives are present, the new SnakeDisk worm monitors for connected removable media and propagates.
5. Geofenced execution: SnakeDisk checks the public IP. If geolocated to Thailand, it proceeds with execution and drops the Yokai backdoor.
6. Yokai backdoor: Yokai opens a reverse shell to the C2, giving operators command execution on the host and further foothold into the network.

In short, phishing gets them in, side‑loading keeps them stealthy, proxy‑aware C2 blends into enterprise traffic, and USB gives them reach. Geofencing narrows the blast radius to Thailand, likely to reduce noise and attention elsewhere.

What’s new in TONESHELL8 and TONESHELL9

The TONESHELL family has been around for years, first publicly documented by Trend Micro during campaigns against Myanmar, Australia, the Philippines, Japan, and Taiwan. The latest variants add new capabilities:

• Enterprise proxy‑aware C2: TONESHELL8/9 support communication through locally configured proxies. That means they can piggyback on normal enterprise web traffic, making outbound connections look routine. See MITRE ATT&CK Application Layer Protocol (T1071).
• Parallel reverse shells: Operators can maintain two reverse shells at once, increasing flexibility for hands‑on-keyboard actions and reliability if one session drops.
• Static evasion with “junk code”: One variant includes harmless code copied from the ChatGPT website. It’s a smokescreen—padding that confuses basic static analysis and signature‑based detection.

Here’s why that matters: Many defenses rely on simple pattern matches or heuristics. By speaking your proxy’s language and looking like ordinary web traffic—while also stuffing functions with irrelevant code—TONESHELL raises the bar for detection.

For background on TONESHELL’s earlier operations, see Trend Micro Research.

SnakeDisk: A USB worm with a Thailand geofence

SnakeDisk is the standout novelty. It’s built to notice when USB media is plugged in, then use that drive to spread—reviving an old-school tactic with modern polish.

What SnakeDisk does: – Watches for new and existing USB devices connected to the host. – Moves existing files on the USB into a new sub‑directory. This keeps user data “visible,” but slightly rearranged. – Drops a malicious executable on the USB that mimics something users will click: – It may match the USB volume name, or – Use a generic name like “USB.exe.” – When the victim clicks the decoy executable on a new machine, SnakeDisk runs and then copies the original files back to their expected location to avoid suspicion.

The twist: SnakeDisk only executes if the device’s public IP geolocates to Thailand. Outside Thailand, it attempts to remain quiet.

A few implications: – USB is still a powerful lateral movement vector, especially in environments with air‑gapped segments or strict egress controls. – Geofencing reduces global noise, making the operation stealthier and harder for threat intel teams to see at scale. – Naming the payload after the USB’s volume label is a simple but effective social trick. Users click what looks familiar.

For USB security fundamentals, see CISA’s guidance: Using Caution with USB Drives (ST08‑001).

Yokai backdoor: A familiar reverse shell in a new package

Once SnakeDisk runs on a Thailand‑based system, it drops Yokai. Yokai: – Establishes a reverse shell to the operator’s C2. – Accepts commands for reconnaissance, data staging, and possibly further payload delivery. – Shares structural and functional overlaps with PUBLOAD/PUBSHELL and TONESHELL, even though they are distinct codebases.

Why it matters: The group’s toolset is modular and convergent—separate families that look and behave similarly. That suggests a shared development pipeline and code reuse, which makes the ecosystem fast to evolve but also gives defenders consistent behavioral clues to hunt for.

For recent reporting on Yokai in Thai‑focused intrusions, see Netskope Threat Labs and IBM Security Intelligence.

Why target Thailand?

While Mustang Panda operates globally, the geofencing to Thailand points to a sub‑cluster with a focused mission. Strategic drivers likely include: – Regional policy and government affairs – National infrastructure and telecom intelligence – Diplomatic, defense, or cross‑border initiatives – NGOs and research organizations with Thailand‑related portfolios

That focus doesn’t mean others are safe. It means today’s tradecraft (USB propagation, proxy‑aware C2, stealthy side‑loading) could be reused tomorrow with a different geofence—or none at all.

Key techniques to watch (with MITRE ATT&CK mapping)

• Initial access: Spear‑phishing attachments and links
• Execution: DLL side‑loading (Hijack Execution Flow – T1574.002)
• Command and control: Application Layer Protocol and Web Protocols (T1071); enterprise proxy usage
• Lateral movement/propagation: USB removable media techniques
• Defense evasion: Junk code to foil static signatures; side‑loading to blend with signed binaries
• Discovery and collection: Reverse shell commands (hands‑on‑keyboard operations)

Defensive playbook: What to do now

You don’t control who targets you. You do control how ready you are. Start with the highest‑impact moves.

1) Harden the USB attack surface – Disable AutoRun/AutoPlay via Group Policy. – Enforce device control: allow only approved, encrypted USB storage for managed endpoints. Microsoft Defender for Endpoint offers granular controls: Device control overview. – Use a “media scanning station” for high‑risk or air‑gapped environments. – Educate users to avoid clicking “USB.exe” or executables that match the drive’s name—an easy social engineering tell. – Turn on File Explorer options to show file extensions and hidden items so “.exe” stowaways are visible.

2) Contain DLL side‑loading – Inventory and restrict high‑risk signed applications that load external DLLs from writable directories. – Use Microsoft’s Safe DLL Search Mode and prefer absolute paths for critical apps: DLL search order and Safe DLL Search Mode. – Application control (AppLocker/WDAC) to allow only signed, known-good binaries and DLLs in sensitive paths.

3) Control egress and proxy behavior – Force all outbound web traffic through authenticated proxies or secure web gateways. – Monitor for suspicious proxy‑mediated connections and unusual user agents. – Inspect TLS where policy and privacy permit. Alert on inconsistent SNI/JA3 fingerprints, odd beacon timing, or new destinations from non‑browser processes.

4) Hunt for USB worm behaviors Look for clusters of events within minutes of USB insertion: – Creation of a new sub‑directory on the USB root with mass file moves. – New executable dropped on the USB with a name matching the volume label or “USB.exe.” – Spawning of cmd.exe or powershell.exe from that executable. – File copy operations that “restore” original files post‑execution. – New processes making outbound connections shortly after USB execution.

5) Detect reverse shell tradecraft – New or infrequent processes making outbound connections over 80/443 with odd patterns (long‑lived sessions, regular short beacons, or connections outside business hours). – Two concurrent command sessions from the same host/user. – Non‑browser processes using the system proxy settings. – DNS anomalies: newly observed domains, high NXDOMAIN rates, or fast‑flux behavior.

6) Phishing resilience – Harden email gateways for malicious attachments and lures. – Strip or sandbox risky file types. Monitor for archive files containing both a signed executable and DLL. – Run targeted phishing simulations to teams that engage with Thai partners or governmental workstreams.

7) Response readiness – Pre‑stage USB incident runbooks: collect the drive, isolate the endpoint, image the device, and preserve the USB directory structure. – Keep IR contacts and escalation paths current. Assign “geofenced malware” as a specific scenario. – Practice containment without internet egress (if Yokai is already live, cutting C2 quickly is key).

Quick checklist for teams in or working with Thailand

• Enforce USB device control, especially on laptops frequently crossing borders.
• Review EDR telemetry for the USB behaviors above in the last 90 days.
• Lock down DLL side‑loading on workstations used for diplomatic, policy, or admin tasks.
• Ensure all web traffic goes through a proxy with logging.
• Create high‑fidelity alerts for executables launched from removable drives.
• Communicate a brief user advisory: “Beware USB.exe; report any USB that suddenly rearranges files.”

Indicators of compromise and deeper research

Campaign‑specific IOCs (domains, hashes, C2 IPs) evolve quickly. For current indicators and samples, consult the original research and subscribe to updates from: – IBM Security Intelligence (X‑Force) – Trend Micro Research – Netskope Threat Labs – MITRE ATT&CK — Mustang Panda (G0129)

Tip: Build detections around behaviors (side‑loading, USB mass file move, proxy‑based C2) rather than static IOCs alone. Behavior doesn’t change as fast as infrastructure.

The bigger picture: USB is back, with modern tricks

We’re used to thinking of spear‑phishing and web beacons as the main event. SnakeDisk reminds us that removable media still matters, especially where: – Users shuttle files between segmented networks. – Contractors and partners bring their own devices. – Air‑gaps limit traditional C2 paths, making USB the path of least resistance.

Add enterprise‑proxy‑aware C2 and geofencing, and you get a campaign that is both precise and resilient. This is a hallmark of a mature adversary with active development cycles and multiple sub‑teams—exactly how IBM X‑Force characterizes Hive0154.

FAQs

Q: What is SnakeDisk?
A: SnakeDisk is a USB worm observed in Mustang Panda operations. It moves files on a USB drive into a sub‑folder, drops a malicious executable (often using the USB’s name or “USB.exe”), and executes only on devices with public IPs geolocated to Thailand. Its purpose is to propagate and deliver the Yokai backdoor.

Q: What does the Yokai backdoor do?
A: Yokai establishes a reverse shell to the attacker’s C2, allowing commands to run on the infected host. It overlaps in structure and techniques with Mustang Panda’s PUBLOAD/PUBSHELL and TONESHELL families.

Q: How is TONESHELL8/9 different from earlier versions?
A: The latest variants can communicate via locally configured enterprise proxies, maintain two reverse shells in parallel, and include junk code (e.g., copied from the ChatGPT site) to complicate static analysis.

Q: Why would malware execute only in Thailand?
A: Geo‑fencing narrows the target set, reduces global noise, and helps avoid detection by organizations outside the intended focus. It suggests a dedicated sub‑cluster with mission objectives tied to Thailand.

Q: How does DLL side‑loading work in simple terms?
A: A trusted app loads a DLL with a name it expects. If a malicious DLL with that name is placed where the app looks first, Windows loads it and runs attacker code inside the trusted app. See MITRE’s T1574.002 and Microsoft’s DLL search order.

Q: Does SnakeDisk affect macOS or Linux?
A: Public reporting focuses on Windows environments and Windows‑style side‑loading and USB behaviors. Always treat unknown USB devices as untrusted across platforms and enforce device control where possible.

Q: How can I check if my network is affected?
A: Look for USB‑related anomalies (mass file moves on removable media, executables named after the USB volume or “USB.exe”), side‑loaded DLLs next to signed binaries, and outbound connections from non‑browser processes over your proxy. If you operate in Thailand or with Thai entities, increase scrutiny and consult vendor IOCs.

Q: What sectors are most at risk?
A: Government, policy, telecom, NGOs, and research organizations tied to Southeast Asia are typical Mustang Panda targets, but spillover is always possible.

Q: What’s the fastest win for defenders?
A: Enforce USB device control, disable AutoRun, and add detections for executables launched from removable drives. Then clamp down on DLL side‑loading and ensure all outbound traffic goes through monitored, authenticated proxies.

Final takeaway

Mustang Panda’s latest toolkit blends old and new: tried‑and‑true DLL side‑loading, a revived USB propagation channel, smarter proxy‑based C2, and laser‑focused geofencing to Thailand. If you operate in or around Thailand, tighten USB controls, hunt for side‑loading behaviors, and make your proxies do the heavy lifting for detection.

If this briefing was helpful, consider subscribing for timely breakdowns of emerging threats and practical defenses—or share it with a teammate who handles endpoint security. The faster we translate intel into action, the safer our networks get.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

• How to Completely Turn Off Google AI on Your Android Phone
• The Best AI Jokes of the Month: February Edition
• Introducing SpoofDPI: Bypassing Deep Packet Inspection
• Getting Started with shadps4: Your Guide to the PlayStation 4 Emulator
• Sophos Pricing in 2025: A Guide to Intercept X Endpoint Protection
• The Essential Requirements for Augmented Reality: A Comprehensive Guide
• Harvard: A Legacy of Achievements and a Path Towards the Future
• Unlocking the Secrets of Prompt Engineering: 5 Must-Read Books That Will Revolutionize You