Researchers at IBM X-Force have uncovered new operations by the Chinese threat group Hive0154, better known as Mustang Panda. Analysts observed the simultaneous deployment of an upgraded variant of the Toneshell backdoor alongside a newly developed USB worm named SnakeDisk, specifically engineered to target devices in Thailand. This strategy underscores a deliberate effort to infiltrate even air-gapped government networks in the region.
The latest strain of the malware, dubbed Toneshell9, represents a significant evolution from its predecessors. It incorporates built-in mechanisms for operating through corporate proxy servers, allowing malicious traffic to masquerade as legitimate network communications.
Among its capabilities are a dual reverse shell for parallel command execution, custom encryption algorithms based on modified random number generators, and advanced obfuscation techniques involving the insertion of junk code embedded with neural-network-generated strings.
Persistence on infected machines is maintained via DLL sideloading, while communication with command-and-control servers is disguised as TLS 1.2 Application Data packets. The client’s architecture enables it to interact with multiple servers, proxies, and key sets simultaneously. Particularly notable is its ability to extract proxy settings directly from the Windows system registry, demonstrating a sophisticated understanding of enterprise network configurations.
In parallel, IBM specialists identified the entirely new USB worm SnakeDisk, which activates only when detecting IP addresses within Thailand — a clear indication of the campaign’s strategic targeting. SnakeDisk is designed to spread via removable media, conceal legitimate files on flash drives, and install the Yokai backdoor, previously deployed in attacks against Thai officials in late 2024.
This method allows adversaries to bypass air gaps and compromise critical systems physically isolated from the internet. The campaign’s launch coincides with escalating border tensions between Thailand and Cambodia in 2025, heightening the political significance of the attacks.
Analysts further observed that Hive0154 extensively leverages social engineering. Malicious archives, masquerading as official documents from Myanmar’s Ministry of Foreign Affairs, were distributed via Box and Google Drive. The discovery of these infected files uploaded from Singapore and Thailand confirms the group’s focused intent on Southeast Asian targets. With a toolkit that includes custom loaders, backdoors, and multiple families of USB worms, Mustang Panda continues to demonstrate a high degree of technical sophistication.
According to IBM X-Force, Hive0154’s activities align with China’s strategic interests, with Cambodia serving as a key ally and Thailand positioned as a focal point of regional pressure. SnakeDisk’s geographic selectivity suggests these attacks are not indiscriminate infections but rather precision reconnaissance and intelligence-gathering operations amid growing instability.
Experts advise at-risk organizations to strengthen defenses by monitoring removable media usage, analyzing TLS traffic for anomalies lacking valid handshakes, and scrutinizing documents downloaded from cloud platforms — even those that appear to bear official seals. Mustang Panda’s evolving arsenal illustrates that the threat to regional governments remains both serious and intensifying.
