In July 2025, the cybersecurity community observed a significant escalation in cyber espionage activities attributed to the China-aligned threat actor known as Mustang Panda, or Hive0154. This advanced persistent threat (APT) group introduced two sophisticated malware variants: SnakeDisk, a novel USB worm, and an updated Toneshell9 backdoor. These tools are specifically designed to infiltrate air-gapped systems, marking a strategic evolution in Mustang Panda’s capabilities targeting East Asian networks.
Strategic Shift to Physical Propagation
Traditionally, cyber threat actors have relied on network-based methods to compromise systems. However, Mustang Panda’s recent campaign demonstrates a calculated shift towards physical propagation techniques. By leveraging USB devices as vectors, the group aims to circumvent conventional network security measures, enabling them to access isolated environments that are otherwise challenging to penetrate.
Geographically Targeted Operations
SnakeDisk exhibits a high degree of operational precision by executing exclusively on systems with Thailand-based IP addresses. This selective activation suggests a deliberate focus on specific targets, aligning with the geopolitical tensions between Thailand and Cambodia during this period. Such targeted deployment reflects Mustang Panda’s sophisticated operational security practices, aiming to minimize exposure while maximizing impact on chosen entities.
Discovery and Analysis
IBM analysts identified these malware variants through an in-depth examination of weaponized archives uploaded from Singapore and Thailand in mid-2025. Their analysis revealed significant code overlaps between SnakeDisk and previous Tonedisk variants, alongside enhancements in evasion techniques and capabilities to penetrate air-gapped systems. The concurrent deployment of the Yokai backdoor indicates a multi-stage infection strategy designed to establish persistent access across isolated network environments.
Infection Methodology
The operational methodology employed by Mustang Panda involves distributing weaponized archives via cloud storage platforms like Box. These archives are often disguised as legitimate documents from government agencies, increasing the likelihood of successful infiltration. Within these archives, trojanized software sideloads malicious DLLs, initiating the infection chain. Once the malware is established, it ensures persistence through scheduled tasks and registry modifications, maintaining access even after system reboots.
Advanced USB Propagation Techniques
SnakeDisk employs sophisticated techniques to weaponize USB devices and infiltrate air-gapped systems. The malware begins execution by parsing a configuration file using a custom two-phase XOR decryption algorithm with a 320-byte key. This configuration defines the worm’s operational parameters, including directory structures, file names, and persistence mechanisms.
The USB infection process starts with comprehensive device detection using the Windows API IOCTL_STORAGE_GET_HOTPLUG_INFO to identify removable storage devices. Upon detecting a USB drive, SnakeDisk creates a complex file structure that hides the user’s original files within subdirectories while placing a weaponized executable in the root directory. The malware utilizes both SHFileOperationW and robocopy commands to relocate existing files, effectively concealing the malicious infrastructure while maintaining the appearance of a normal USB device.
Real-Time Monitoring and Payload Deployment
SnakeDisk establishes a Windows message loop to monitor for WM_DEVICECHANGE events, enabling real-time detection of USB insertion and removal events. When a device is removed, SnakeDisk triggers payload execution, dropping the Yokai backdoor into the C:\Users\Public\ directory through a series of concatenated encrypted files that reconstruct the final malicious executable upon deployment.
Implications and Recommendations
The emergence of SnakeDisk and the updated Toneshell9 backdoor underscores the evolving threat landscape, where state-sponsored actors are increasingly adopting physical propagation methods to infiltrate secure environments. Organizations, especially those operating air-gapped systems, must enhance their security protocols to address these sophisticated attack vectors.
Recommendations:
1. Implement Strict USB Device Policies: Restrict the use of USB devices within secure environments. Only allow authorized devices that have been scanned and approved by security personnel.
2. Regular Security Training: Educate employees about the risks associated with USB devices and the importance of not connecting unknown devices to secure systems.
3. Advanced Threat Detection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating threats that utilize physical propagation methods.
4. Network Segmentation: Ensure that critical systems are adequately segmented from less secure networks to minimize the potential impact of a breach.
5. Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities within the organization’s infrastructure.
By adopting these measures, organizations can bolster their defenses against sophisticated threats like those posed by Mustang Panda’s latest malware variants.
