China-Linked Mustang Panda Deploys New USB Worm and Updated Backdoor

Cybersecurity researchers have uncovered fresh activity from the China-aligned threat group Mustang Panda, which is now deploying an upgraded version of its TONESHELL backdoor alongside a new USB worm dubbed SnakeDisk.

CyberSecurity,MustangPanda,Malware
Mustang Panda’s New Cyber Tools

According to a recent analysis by IBM X-Force, SnakeDisk is engineered to run only on devices with Thailand-based IP addresses, where it delivers the Yokai backdoor to establish remote access. This discovery highlights the group’s evolving tactics and its growing focus on Southeast Asia.

Updated TONESHELL Variants

Originally documented in 2022, TONESHELL has been a staple in Mustang Panda’s campaigns across Myanmar, Australia, the Philippines, Japan, and Taiwan. The malware is typically spread through spear-phishing emails, often dropped alongside families like PUBLOAD, which also deliver shellcode payloads from remote command-and-control (C2) servers.

IBM identified two new variants—TONESHELL8 and TONESHELL9—capable of communicating through enterprise proxy servers to disguise malicious traffic. They can also maintain two active reverse shells simultaneously. Notably, TONESHELL8 includes junk code copied from OpenAI’s ChatGPT website to evade detection and resist analysis.

SnakeDisk: A New USB Worm

SnakeDisk, launched via DLL side-loading, is an evolution of the group’s earlier worm framework TONEDISK (aka WispRider). It spreads by moving files on a USB device into a hidden folder, tricking victims into clicking a malicious executable disguised as either the device’s volume name or “USB.exe.” After infecting a new machine, the files are restored to their original location to avoid suspicion.

Once executed, SnakeDisk drops the Yokai backdoor, which creates a reverse shell to run arbitrary commands. Yokai was previously linked to intrusions targeting Thai officials, according to research published in late 2024.

A Growing Malware Ecosystem

Mustang Panda, also tracked as Hive0154, Bronze President, Camaro Dragon, and RedDelta, has been active since at least 2012. Researchers say its continued development of new tools and subclusters shows it is a highly capable state-sponsored actor with a large, overlapping malware ecosystem.

“The use of SnakeDisk and Yokai likely points to a subgroup within Mustang Panda hyper-focused on Thailand,” IBM noted, stressing that the campaign underscores the actor’s ongoing refinement of attack techniques.

Comments

Post a Comment

Popular posts from this blog

Nothing Secures $200M, Plans AI-Native Devices for 2026

Image
London-based phone maker Nothing is taking a bold leap into the future of consumer technology. On September 16 , the company announced it had raised $200 million in a Series C funding round , bringing its valuation to $1.3 billion . Alongside the funding, CEO Carl Pei revealed plans to launch the company’s first AI-native devices in 2026 . Nothing Bets on AI Future Building the Future of AI-Native Devices In a post on X , Pei shared his vision: “From building the only new smartphone company of the last decade, to creating an AI-native platform where hardware & software converge.” He hinted at a future where AI creates personalized operating systems for every user, describing it as “a billion different operating systems for a billion different people.” Pei believes consumer hardware must evolve with the mass adoption of AI, and the company’s upcoming devices aim to deliver intelligence that turns understanding into action . While he did not confirm the form factor, he teas...
Read more

Tarun Wig’s Resilient Leadership: The Rise of Innefu Labs

Image
In the ever-evolving and highly competitive world of cybersecurity, resilience, and innovation are essential qualities for success. Tarun Wig , the Co-Founder of Innefu Labs, exemplifies these traits through his leadership and unwavering belief in the power of technology to safeguard national security. His journey, marked by overcoming challenges and achieving significant milestones, stands as a testament to the transformative growth of Innefu Labs under his guidance. Tarun Wig  Overcoming Setbacks: The Turning Point of 2024 For Tarun Wig Innefu Labs, the year 2024 presented unexpected challenges that tested the company’s resilience and adaptability. The first obstacle came when a key partner misused a product demo and distanced themselves from the collaboration. On top of this, Innefu Labs faced a rare security breach, a concerning event for a company known for its cutting-edge cybersecurity solutions, including Kavach, deployed for NIC since 2018. However, these challenges did no...
Read more

Tarun Wig and Innefu Labs: Cybersecurity Leadership.

Image
Tarun Wig , the co-founder of Innefu Labs, has led the company through significant challenges, turning adversity into opportunities for growth. Innefu Labs, a leader in cybersecurity and AI-driven intelligence solutions, has become an industry pioneer thanks to Tarun’s innovative leadership and his team’s resilience. Tarun Wig Overcoming Major Challenges in 2024 In 2024, Innefu Labs faced unexpected hurdles. A betrayal from a former partner who exploited their product demo and a rare cybersecurity breach tested the company’s security systems. Despite these setbacks, Tarun Wig remained determined to navigate through the crisis and emerged stronger. The breach was a rare event, especially given Innefu’s impressive track record since implementing Kavach for the National Informatics Centre (NIC) in 2018. Strategic Audits and Stronger Security After the breach, Innefu Labs took immediate action by conducting a thorough audit with a top cybersecurity agency. The audit revealed that the brea...
Read more