346/68 Wednesday, September 17, 2025
Cybersecurity researchers from IBM X-Force have revealed that Mustang Panda, a China-linked state-sponsored threat group, is leveraging several new malware variants in its campaigns. Most notably, the group has introduced a new USB worm called SnakeDisk, designed to propagate infections and deliver the Yokai backdoor, enabling remote control of compromised machines. Uniquely, SnakeDisk has been configured to execute only on devices with IP addresses located in Thailand, highlighting Thailand as a primary target of this campaign.
SnakeDisk spreads via USB devices by moving existing files into hidden subfolders and creating a decoy file named “USB.exe”, tricking victims into opening it. Once executed, the original files are restored, making detection more difficult. In parallel, Mustang Panda continues to deploy TONESHELL and PUBLOAD malware through spear-phishing emails to download payloads and establish command-and-control (C2) channels. The new version of TONESHELL has been upgraded with code obfuscation to evade detection and supports communication through corporate proxy servers.
Researchers also noted that the deployment of SnakeDisk and Yokai suggests the presence of a dedicated Mustang Panda subgroup focusing specifically on Thailand, given that Yokai was previously observed in attacks against senior Thai officials in late 2024. These developments highlight the continuous evolution of Hive0154 (IBM’s tracking name for Mustang Panda), one of the most sophisticated state-backed groups with a broad malware arsenal and a history of constant upgrades to increase attack complexity.
This threat underscores the critical need for vigilance when using portable media such as USB drives, which may unknowingly carry malware. Experts recommend avoiding the use of unknown USB devices in both personal and organizational environments and ensuring that all removable media is scanned with up-to-date antivirus software before use.
Source https://thehackernews.com/2025/09/mustang-panda-deploys-snakedisk-usb.html
