Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm

In July 2025, IBM X-Force discovered new malware attributed to China-aligned threat actor Hive0154. This includes an updated Toneshell variant evading detections and supporting several new features, as well as a novel USB worm called SnakeDisk discovered in mid-August. The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor, discovered by Netskope in December 2024.

• Throughout mid-2025, X-Force observed several Toneshell and Pubload malware variants in weaponized archives mostly uploaded from Singapore and Thailand.
• One of the variants evading VirusTotal detections is the latest update "Toneshell9". It supports command and control (C2) communication through locally configured proxies to blend in with enterprise network traffic and facilitates two reverse shells in parallel.
• X-Force analyzed a new USB worm, SnakeDisk, which only executes on devices located in Thailand, based on their IP address. The worm displays code overlaps with Tonedisk and is able to detect new and existing USB devices, which it weaponizes as a means of propagation.
• The analyzed SnakeDisk sample drops the Yokai backdoor on infected devices, which sets up a reverse shell allowing operators to execute arbitrary commands. Yokai was previously tied to campaigns targeting Thai officials in December 2024.

Hive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques, and well-documented activity over the past several years. The group consists of multiple subclusters and engages in cyberattacks targeting public and private organizations, including think tanks, policy groups, government agencies, and individuals. X-Force's observation of the group's use of multiple custom malware loaders, backdoors, and USB worm families showcases their advanced development capabilities. Hive0154 activity overlaps with threat actors publicly reported as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris, and Earth Preta.

Throughout mid-2025, X-Force observed several weaponized archives uploaded to VirusTotal from Singapore and Thailand:

Hive0154 was observed using a new loader to reflectively inject either Pubload or Toneshell7, as well as directly deploying the more obfuscated Toneshell8 variant. The most recent Pubload variant has undergone minor changes and now supports decoy C2 servers and downloading shellcode payloads via HTTP POST in addition to raw TCP imitating TLS traffic.

The archive "CallNotes.zip" discovered in September was downloaded from Box Cloud Storage through a link in a PDF lure impersonating the Myanmar Ministry of Foreign Affairs:

In mid-August, X-Force also discovered SnakeDisk, a new USB worm sharing overlap with previous Tonedisk variants. The worm only executes on devices located in Thailand as determined by their public IP address. SnakeDisk distributes the Yokai backdoor, which was publicly linked to several other Thailand-targeted campaigns by Netskope in December 2024. 

Given previous history of the Yokai backdoor being used against Thailand, the discovery of the latest USB worm seemed to coincide with recent geopolitical events surrounding Thailand:

• In late May 2025, Thailand and Cambodia were involved in a border skirmish that resulted in the death of a Cambodian soldier. Subsequent talks between Thailand and Cambodia broke down, with each side reinforcing troops along the border. 
• In June 2025, a phone call between Thailand's prime minister, Paetongtarn Shinawatra, and former Cambodian leader, Hun Sen, was leaked, resulting in removal of Thai prime minister.
• On July 24, 2025, multiple border clashes between Thailand and Cambodia ensued, including use of artillery, airstrikes, and naval bombardments. On July 28, 2025, both sides reached a tentative truce, brokered by US and Malaysia.
• In early August 2025, the Cambodian government accused Thai military of planning an assassination strike against the Cambodian prime minister, which Thai government denied. The Cambodian government cited 'unnamed foreign intelligence' as its source.

Traditionally, the People's Republic of China (PRC) has been a benefactor to Cambodia, supplying weapons and investing billions in infrastructure projects. Recent geopolitical events may have provided impetus for Hive0154 to initiate conduct operations against Thailand. The deployment of the SnakeDisk USB-worm configured to only execute on Thailand-based machines, seems to suggest that Hive0154 may be seeking to penetrate air-gap systems, often employed in government networks.

X-Force first observed Toneshell version 8 in March 2025. It is very similar in behavior to the previous version 7, but contains minor updates to evade static detection and hinder analysis. The most visible change is the inclusion of junk code within the malware's functions. These junk code sections implement the following behavior:

• Use API calls to write random temporary files and delete them again
• Copy and loop through a string. The strings used in the initial samples were copied from OpenAI's ChatGPT website
• Sleep for random intervals

These three code examples can be found, for instance, in the function resolving all of the API's:

Toneshell8 developers also chose to replace the Pseudo Random Number Generator (PRNG) with a custom Linear Congruential Generator (LCG) implementation using different constants, for example:

The PRNGs are used in Toneshell to generate a victim ID, C2 traffic encryption keys, and verify C2 beacon authenticity. The implementations in Toneshell8 samples vary greatly in quality. The generator above, for instance, is used by the 4 samples listed above and only produces 11 different states for most seeds. 

Lastly, the hardcoded response codes sent to the C2 server, which notify operators of the status of certain commands, are now obfuscated by calculating them from different hardcoded integers in the sample. 

In July, X-Force discovered a new Toneshell variant, which we will refer to as Toneshell9. It contains significant updates and does not have any detections on VirusTotal at the time of writing (318a1ebc0692d1d012d20d306d6634b196cc387b1f4bc38f97dd437f117c7e20). 

The new Toneshell variant was first observed in trojanized RAR archives containing "USB Safely Remove" software. The code structure appears to have been based on a forked variant from December 2024, which contains the identical C2 configuration.

Similar to previous variants, Toneshell9 is executed as a sideloaded DLL. The weaponized RAR archive contains a BAT file, launching a legitimate executable "USBSRService.exe" with a "-Embedding" command line argument. Once the Toneshell DLL "EasyFuncs.dll" is loaded into memory and the export FS_RegActiveX is executed, it begins by resolving a first set of APIs needed for initialization. After parsing the "-Embedding" command line argument, Toneshell launches its parent executable in a new process with the argument "EvtSys". The latter argument triggers the malicious DLL's main behavior. 

Toneshell begins by initializing a new client object holding the following values:

It then goes on to resolve the rest of its necessary APIs via a custom hashing function and stores the function pointers in a separate struct. Next, it creates a new event "Windows External Module" which acts as a mutex to prevent multiple instances from running on the same machine. 

Toneshell9 is littered with several sections of junk code, which retrieves the current number of CPU ticks, stores the result as a string and deallocates it again. 

To manage and store C2 communication, proxy servers, beacons, and payloads in memory, Toneshell instantiates a large 129KB object:

Unlike previous variants, Toneshell9 enumerates the HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER and HKEY_USERS\\.DEFAULT registry hives to search for locally configured proxy servers. 

If a server is found, both the URL's protocol (http, https, ftp, or socks) and the full URL are stored as strings in a list of objects. 

Next, Toneshell stores its C2 server domain and IP address in a vector of strings. The same hardcoded IP and port are directly stored in an array of SOCKADDR_IN structures. The malware then loops through the C2 server strings, resolving the IP address for each of them and adding it into the same array of SOCKADDR_IN structures.

As observed in previous variants, Toneshell proceeds to drop a file containing a random 16 byte victim GUID generated via the Windows _rand() function:

The GUID is also stored in a struct together with the path of the file and the victim's NetBIOS name. 

The data above is used to construct a beacon object in memory. Notably, Toneshell9 performs calculations on the difference in the CPU's tick count before and after the main initialization behavior detailed above. This value is normalized, and likely used to detect anomalies in execution time which could indicate a delayed sandbox execution or debugging. 

 The 0x300 byte XOR key is generated via _rand() and used to encrypt the 101 bytes of data, starting at offset 0x300. The data above is packaged into a fake TLS 1.2 Application Data packet of the following format:

During the main loop Toneshell9 executes a function to establish a socket connection to its C2 server. It begins by attempting to connect via the first SOCKADDR_IN structure. If that fails, the malware tries to setup a socket connection through any of the proxy servers collected from the registry. This is attempted for each of the C2 address strings, i.e. the IP address and domain for the sample analyzed above. 

After resolving the IP address of the proxy server and connecting via a TCP socket, it first sets the send and receive timeouts to 1 minute. Next, it sends the following connect request: 

If the proxy server returns a 2xx status code, the connection has been established successfully and is ready for raw TCP tunneling. To verify the connection with its C2 server, Toneshell9 uses a short handshake protocol, also transmitting the server's IP and port in the process. If the handshake is successful, the handle to the socket is stored in the C2_CONNECTION struct and the socket timeouts are set to 2 minutes. Toneshell then sends the first advertisement beacon through the socket. 

It expects a similar response back from its server, which apart from the first 5 bytes is encrypted via the previously transmitted XOR key:

By using a proxy already configured on an infected device, Toneshell can effectively blend in with other network traffic. Larger enterprise environments often enforce egress filtering, only allowing traffic through trusted gateways, which would block direct C2 communication. Toneshell's added capability of circumventing this filtering allows it to operate within well-secured network environments.

Upon receiving the first C2 response, Toneshell starts a new thread that sends heartbeat-like response beacons every 30 seconds, with the 0x1 response code and a random shell_id value. Response beacons have a very similar format:

Toneshell9 supports the following command codes:

Similar to previous variants, a reverse shell is set up using anonymous pipes connected to stdin and stdout handles of a new cmd.exe process. Toneshell9 supports two active reverse shells in parallel and uses the structure below to manage a shell connection:

For each reverse shell, a new thread is created to regularly check for new data from the stdout pipe and send it back to the C2 server in a beacon with response code 0x4. Toneshell operators can write string data to the pipe using the correct shell_id and execute arbitrary commands on the machine. When closing a reverse shell, the conhost.exe process identified by the parent_pid is also terminated on the machine. 

In August 2025, X-Force discovered a previously unknown USB worm which was attributed to Hive0154. The 32-bit DLL was uploaded to VirusTotal as "01.dat" from Thailand and displays similar features to Toneshell9. Both are executed via DLL sideloading, with all exports except for the DllEntryPoint and the malware's entry point pointing to the same function, which immediately returns. They also both feature nearly identical API resolution mechanisms, which is consistent with almost all Toneshell-related malware. Similar to the Toneshell9 sample, SnakeDisk also reads a command-line argument to select one of two possible execution paths:

• "-Embedding": starts the USB infection behavior before dropping and executing the embedded payload once a device is removed.
• "-hope": immediately drops and executes the embedded payload.

In order to execute the USB infection functionality, SnakeDisk requires a configuration file, which it searches for in the parent executable's current directory. Any files found in that directory, unless they are named "System Volume Information", will be added to a list of potential configuration files. Tonedisk goes on to open and read each file, testing the following conditions to verify the file before proceeding with the decryption.

• File size is between 0x14A and 0x14000 bytes
• The first 4 bytes are the correct CRC32 hash of the rest of the file

SnakeDisk proceeds by decrypting the data using a likely custom 2-phase XOR algorithm and a 320-byte key stored in a 330-byte header. 

Finally, the malware parses 18 string values that define the configuration of the malware. X-Force was unable to recover a configuration file; however, analysis of SnakeDisk revealed the following likely purposes of the values.

After successfully reading its configuration file, SnakeDisk will try to confirm that it is currently executing on a Thailand-based machine. It sends an HTTP GET request to http://ipinfo[.]io/json and checks if the "country" field matches either "THA" or "TH". If that is true, execution continues.

Notably, execution will also continue if an error occurs while resolving APIs or during network communication. 

SnakeDisk then ensures it only runs in a single instance by attempting to open a mutex "Global\\<mutx config value>". If the mutex already exists, the malware exits; otherwise, it creates the mutex via CreateMutexW.

In order to infect any already connected USB drives, SnakeDisk begins to loop through all possible drive letters from A-Z. It opens a handle to the physical volume, such as "\\.\A:" and sends the IO control code IOCTL_STORAGE_GET_HOTPLUG_INFO (0x2D0C14) to the device. If the device is a hotplug device according to the returned STORAGE_HOTPLUG_INFO struct, it launches a new thread to infect that drive. 

After going through all drive letters, SnakeDisk sleeps for 5 seconds and then registers a new window class "TestClassName" and creates a corresponding window "TestWindowName". In order to retrieve messages from the operating system, the function creates a Windows Message loop using GetMessageW and dispatches the messages to the malware's window procedure via TranslateMessage and DispatchMessageW. It only exits the loop when receiving a WM_CAP_PAL_OPEN (0x450) message. The malicious window class references a custom procedure which listens for the WM_DEVICECHANGE (0x219) message, and specifically the DBT_DEVICEARRIVAL (0x8000) and DBT_DEVICEREMOVECOMPLETE (0x8004) events. 

If such a message is received, for instance, when a USB device is plugged into the infected machine, the function uses the "dbcv_unitmask" field of the DEV_BROADCAST_VOLUME structure to determine the drive letter of the corresponding device. For newly connected devices, a new thread is launched to infect the drive. If SnakeDisk detects a device removal, it starts a thread to drop and execute its embedded payload, which initiates the same execution path that the SnakeDisk DLL's execution with the "-hope" command line argument would have caused. 

The thread to infect a detected USB device begins by searching the drive for an existing config file to determine if it was already infected. It attempts to decrypt and parse a configuration from any file with a .dat or .cd extension. If a configuration is parsed, the malware compares the version number of the already infected drive to the version of its own configuration and will only reinfect drives with older versions of SnakeDisk on them. 

SnakeDisk then launches another thread to move the existing files on the USB into a new subdirectory. By essentially hiding the files a user expects on their USB, the malware increases the chance of a victim believing the USB has not yet been opened and accidentally clicking the weaponized executable on a new machine bearing the same name as the device. After execution, the malicious launcher would copy back the users' files to avoid any suspicion. The path containing the user's data on an infected device is built from the configuration values as:

The malware may use two different mechanisms for the operation; each launched in its own respective thread. The first uses SHFIleOperationW to move each file, and during every operation, also reads 32 bytes from a file "C:\\Windows\\Tmp\\msd.log", which are written to a file "C:\\ProgramData\\app.log" before deleting the latter. The purpose of this behavior is unclear. 

While the thread runs, the malware regularly checks for successful completion for 30 seconds before launching a second thread. The second thread uses robocopy to move the files and executes the following command in a new process:

Both file movements exclude SnakeDisk's weaponized files and the "System Volume Information" file, which should remain in the USB disk's root directory. After running the command above, the same command is launched again with two additional flags "/IS" and "/XO", to include the same files, and exclude source directory files older than the destination. 

After moving already existing files on the USB, SnakeDisk goes on to copy its own payloads from its current directory to the USB drive. The following files, as specified in the configuration, are copied via CopyFileW, each in a new thread:

The EXE's file name in the root of the USB drive is set to the volume name of the USB device, or just "USB.exe" if it is empty. SnakeDisk also sets the attributes SYSTEM and HIDDEN on the file copied to "<drive_letter>:\<unendl_org>". All directories on the USB carry those attributes as well, effectively hiding everything apart from the executable. Although X-Force did not retrieve any of the other files, previous USB worms used the same technique to lure victims into clicking the executable, which would sideload a DLL to initiate the infection. That malicious DLL's filename is likely stored in the "unendl_org" configuration value. Lastly, SnakeDisk writes its configuration to a new file on the USB with the name from the "unconf" value. 

The SnakeDisk thread responsible for dropping and executing its embedded payload is launched when a USB device removal is detected, or at the beginning of SnakeDisk's execution via the "-hope" command line argument. 

First, the thread reads a marker file "vm.ini" in its directory and compares the content to its own current path. This file is also written after successful dropping and execution of payloads and indicates if a victim has already been infected with SnakeDisk's embedded payload. If the paths match, no payloads will be dropped and the thread terminates. 

After the first check, SnakeDisk begins to drop a series of payloads to the "C:\Users\Public\" directory. Each file is constructed in memory from immediate values in large functions between 0.6 and 3.3 MB.

The payloads are then decrypted via a simple XOR operation before being dropped as files to:

• C:\Users\Public\srv0
• C:\Users\Public\srv1
• C:\Users\Public\srv2
• C:\Users\Public\loga
• C:\Users\Public\logb
• C:\Users\Public\logc

These files are concatenated together in groups of three to produce the two final payloads via the following commands:

The EXE's filename is created from 10 random uppercase letters and numbers. After concatenation, the files are deleted. 

Finally, the executable is launched in a new process with a hardcoded command line argument:

Unsurprisingly, the EXE (bb5bb82e5caf7d4dbbe878b75b23f793a5f3c5ca6dba70d8be447e8c004d26ce) is a legitimate and signed executable (acwebbrowser.exe) which sideloads the malicious libcef.dll during execution. 

The DLL payload was identified as the Yokai backdoor, reported on in December 2024 by Netskope. Upon execution, the malware first checks for the "-project-mod" argument and then establishes persistence via a scheduled task if the user is not a member of the Administrator's group:

It goes on to create a new mutex "k1tpddvivh74fo1et725okr1c1" and initializes an internal configuration structure. The variant dropped by SnakeDisk contains the version string "1.0.0" and reaches out to a hardcoded C2 server via HTTP POST requests:

As described in Netskope's analysis, Yokai is used to create a reverse shell through anonymous pipes, allowing operators to execute arbitrary commands on the infected machine. 

Interestingly, Yokai shows overlaps with other backdoor families attributed to Hive0154, such as Pubload/Pubshell and Toneshell. Although those families are clearly separate pieces of malware, they roughly follow the same structure and use similar techniques to establish a reverse shell with their C2 server.

X-Force analysis also revealed strong overlaps between SnakeDisk and Tonedisk. Over the years, there have been several USB worm families associated with Hive0154. Variants strongly related to the Toneshell family in their implementations are tracked by X-Force as Tonedisk. So far, there have been 3 major Tonedisk versions (A, B and C) identified. Each of the Tonedisk versions is a suite of different malicious components that make up the full functionality of the USB worm. These components include launchers, loaders, spreaders, encrypted files, installers and backdoors.

SnakeDisk overlaps specifically with the ToneDisk A variant, which was also reported on in mid-2023 by Checkpoint as WispRider. Both malware's USB propagation mechanisms, API hashing and configuration files display several similarities, which align with Hive0154 subclusters' known tendency to share and repurpose malware among themselves. 

X-Force tracks the activity in this report under the Hive0154 umbrella cluster, which partially overlaps with activity published as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris, TEMP.Hex, and Earth Preta. This group appears to maintain a considerably large malware ecosystem with frequent overlaps in both malicious code, techniques used during attacks, as well as targeting. Within the larger umbrella cluster, X-Force separates at least three subclusters of activity with low confidence, with each cluster associated with one of the central malware strains PlugX, Toneshell, and Pubload. Notably, each malware strain is paired with a different USB worm framework and one or more related loader malware variants, which change more frequently. The same loader may be used for different payloads, such as Toneshell or Pubload, within the same timeframe. However, it is important to note that the clustering of activity does not automatically signal that they are operating as separate subgroups. 

Activity associated with the use of SnakeDisk and the Yokai backdoor possibly indicates a further subcluster of Hive0154. It currently appears to be mainly targeted towards Thailand, as evident from IP geolocation checks in SnakeDisk and Netskope reporting. 

Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles. X-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large malware arsenal and target public and private organizations worldwide. The malware discussed in the report above is likely still in early development, allowing defenders to adopt detection mechanisms before their widespread use. Entities at risk of Hive0154 espionage should remain at a heightened state of defensive security and remain vigilant with regard to the techniques mentioned in this report and review the following recommendations:

• Exercise caution with emails or PDFs containing Google Drive, Box Cloud Storage or Dropbox download links
• Exercise caution with downloaded archives, even if they do contain expected documents. Train staff to display and recognize unexpected file extensions
• Monitor and hunt in networks for TLS 1.2 Application Data packets (header: 17 03 03) without a previous TLS handshake as a sign of a Pubload or Toneshell beacon
• Monitor and hunt for USB drives containing suspicious executable names, DLLs and hidden directories which could indicate a device infected with a USB worm
• Monitor and hunt for suspicious and unknown directories in C:\ProgramData\ which contain a legitimate EXE vulnerable to DLL sideloading and a corresponding DLL
• Monitor and hunt for persistence techniques in the registry and scheduled tasks
• Hunt for processes, network traffic and IoCs detailed in this report
• Monitor any unusual network, persistence, or file modification activity coming from seemingly benign process executables that sideload a malicious DLL

IBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable threat intelligence about this threat activity and more. Access insights on threat actors, malware, and industry risks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your cybersecurity with IBM X-Force’s expertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!