Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign

As of May 2025, IBM X-Force is tracking a suspected espionage campaign using weaponized ZIP archives to distribute Pubload and Toneshell backdoors. X-Force attributes this campaign, which likely began in late 2024, to China-aligned threat actor Hive0154, whose operations overlap with groups tracked as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris and Earth Preta. The archives contain politically themed lures likely designed to entice government, military and diplomatic personnel in the Philippines, the United States and Pakistan. Hive0154 subclusters have used similar tactics in the past. Specifically, they have used the Claimloader malware to install persistent backdoors facilitating direct access to victim environments to gain advanced insight into emergent decisions of world governments. X-Force has also observed the group employing a USB worm to spread Pubload in Taiwan, potentially reaching networks that might be air-gapped.

• Hive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques and well-documented activity over the past several years
• Among the malware arsenal, X-Force discovered a number of tools designed to target a specific audience, likely targeting the Philippines', the United States' and Pakistan's government, military and diplomatic personnel
• X-Force discovery suggests Hive0154’s use of geopolitical topics tailored to separate audiences: 1. the Philippines, using South China Sea tensions; 2. Pakistan, using Balochistan separatists’ activities; and 3. the United States, using spoofed National Security Council meeting notes
• These tailored attacks suggest Hive0154 is likely attempting to gain intelligence on the potential strategies and intent of the U.S. administration and the neighboring countries to China
• One of Hive0154's subclusters has consistently used evolving Claimloader variants to deploy related Pubload and Toneshell backdoors and target entities in Europe, the Asia-Pacific region and the US
• X-Force investigated recent activity in Taiwan, where the HIUPAN USB worm was used to spread the Pubload backdoor to a major manufacturing company. Hive0154 also uses filenames related to invoices and legal documents as lures to target Taiwan in May 2025

Since at least 2022, Hive0154 has used the Toneshell malware family among others to conduct worldwide cyber operations. Toneshell-related malware, such as Pubload and Pubshell (aka NoFive), indicates the group maintains separate malware strands as part of their operations. The group consists of multiple subclusters and targets public and private organizations, including think tanks, policy groups, government agencies and individuals. X-Force assesses that this threat actor is a capable threat as evidenced by its use of multiple independent malware loaders, backdoor and USB worm families, and consistent reporting of its activity by several security research teams.

In 2023, Palo Alto reported that one of the Hive0154 subclusters X-Force tracks was using various lures to spread the Pubload backdoor. Some of the lures below also coincide with a campaign against Myanmar as reported by CSIRT CTI in January 2024. The lures below show China's ongoing interest in Southeast Asian countries and Australia.

The weaponized ZIP files generally contain a renamed legitimate executable, such as SolidPDFCreator.exe (e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942), which is used to sideload a malicious DLL. The DLL is part of the Claimloader family, which is comprised of different shellcode loader variants used by Hive0154 throughout the years to load payloads associated with the Pubload and Toneshell backdoor families.

Throughout 2024, further Hive0154 activity was recorded, some of which was reported on by FatzQuatz, the StrikeReadyLabs Twitter/X account, and Hunt.io:

The DLL sideloading technique within ZIPs remains the same, but different versions of the Claimloader DLL were registered with changes to the decryption algorithm. Some of the campaigns also used a Toneshell DLL (0bd114fecfd3c09820fa013d8cd8aadedee69906b6f81a2e827bba68ddf1023b) directly. 

X-Force observed several new campaigns in late 2024 and early 2025 following the same TTPs, which were attributed to the same Hive0154 subcluster. The latest Claimloader variants also support opening decoy PDFs as part of the installation routine, before injecting their shellcode payloads. The PDFs, as well as the DLLs, use file attributes to remain hidden to a standard user.

Two lures and their associated decoy filenames specifically mention tensions over the South China Seas between China and the Philippines, with the Philippines government calling for close military cooperation with the United States in light of growing activities by the Chinese military. These developments will likely elicit increased interest from the recipients, who may be more inclined to open the attachment. Such recipients may include the Philippines' government, military and diplomatic personnel, and may also involve U.S. government and military personnel whose duty might warrant engaging in the topic presented by the filenames.

Both lures sideload a Claimloader DLL, which loads the same Toneshell backdoor detailed further below. 

Claimloader is a family of loaders used by Hive0154 in the past to load various shellcode payloads, including Toneshell and Pubload. Over the years, it has evolved into several different versions with varying functionality.

One of the early samples, compiled in late 2021, was published on by Palo Alto's Unit 42. It uses an interesting technique, copying shellcode into a buffer via the UuidFromStringA API. It further executes the shellcode as a callback function passed to EnumSystemLanguageGroupsA.

A similar technique was previously reported on by the NCC group.

In November 2022, LAC reported on a Claimloader variant likely targeting government organizations in the Philippines in an infection chain almost exactly the same as the activity in 2023-2024 detailed in the previous sections. The variant stores its payload as 32-byte blocks of encrypted stack strings, before decrypting each of them. It also copies the legitimate executable and the Claimloader DLL to a new directory before attempting to establish persistence via the registry or scheduled tasks, effectively making it an installer in addition to a loader.

Upon execution, the malware begins by creating a hardcoded mutex to ensure only a single instance of Claimloader is running. Next, it checks for a specific command line argument, which is not present on the first run. If that's the case, Claimloader will copy both the EXE and DLL into a new unobtrusive directory, often under "C:\ProgramData\", imitating a software directory such as:

• C:\ProgramData\NVIDIACorporatione\
• C:\ProgramData\NVIDIACorporation\
• C:\ProgramData\jxbrowserEdgeBLA\
• C:\ProgramData\jxbrowserEdgeIDWT\
• C:\ProgramData\JxbrowserChromium\
• C:\ProgramData\FastPerfPDF\
• C:\ProgramData\NVIDIAFrameViewSDK\

This behavior is used by most of the more recent Claimloader samples and can also lead to unsuccessful sandbox executions. 

Next, the malware establishes persistence on login by storing the path of the EXE with the correct command line argument in a new registry key again with an unobtrusive software name under:

Claimloader also uses a secondary persistence mechanism by creating the following process to create a scheduled task, which will execute the loader every 5 minutes:

Note that the exact techniques may deviate; one sample, for instance, used COM objects instead to schedule the task by connecting to the ITaskService interface (8957c8de9032b347ee1a15abbae489788533acac0b1a000a2104812df24fb8ce). 

Claimloader's decryption algorithms have varied in samples between DES (latest version), at least two implementations of AES and XOR-based decryption routines using a hardcoded seed to generate a keystream via the _srand() function:

To execute their payloads after decryption, most Claimloader variants use APIs with callback functions, but there are also variants that create a new thread or directly call the payload as a function.

Below is a table of different Claimloader samples and their techniques:

Several recent samples have added support to display a decoy PDF during the first execution of Claimloader.

After opening the PDF file for the user, Claimloader removes the "System" and "Hidden" file attributes to make the PDF permanently visible to the user in the open folder. 

The latest Claimloader variant at the time of publication uses obfuscated API and DLL names, which are XOR encrypted with 0x99. During execution, the loader decrypts the strings and calls LdrLoadDll and LdrGetProcedureAddress to resolve the function pointers for the APIs it needs.

Both Claimloader DLLs associated with the South China Sea lures load the same Toneshell backdoor (5d7b9605cf85371da0849b82977df222ac6c970596c5a9a123c9490789d40078) as shellcode, which is a valid PE at the same time. 

The DOS Header was modified to include a small stub to call another function at offset 0x4200, while providing the base address of the PE as an argument. This loader function goes on to manually load the PE, resolving necessary imports and mapping the sections into memory. This technique allows malware developers to convert a valid PE into shellcode post-compilation. 

The Toneshell family comprises a large arsenal of different variants and has evolved significantly over time. Although it shares strong code overlaps with the Pubload backdoor, it is tracked separately by X-Force. Variants may differ in C2 mechanisms, custom C2 protocols, supported commands and API hashes. X-Force also groups multiple versions of a USB worm framework called "Tonedisk" under the Toneshell family. 

The Toneshell backdoor from the campaign above is a comparatively simple variant and is designed to establish a reverse shell through its C2 server. 

It begins by resolving its APIs and creating a new GUID via CoCreateGuid. The resulting 16 bytes are used as a unique victim identifier and are written in a new file:

Next, it creates a new event "Fool87012900137", which it uses as a mutex to ensure it is the only running instance. Toneshell initializes its main struct with the C2 server address (45[.]136[.]254[.]193:443), the GUID and the victim's computer name, among other configuration values. It also initializes an implementation of the Microsoft "rand" PRNG.

For each beacon querying the C2 server for commands, Toneshell generates the next 256-byte key from the PRNG, which is used to encrypt C2 communication, the GUID and the computer name.

The TCP beacons contain the following values formatted with a header imitating a TLS Application Data packet (17 03 03):

Toneshell expects a similar response back from the server:

After decrypting the response, the first byte is parsed as a command value, the second byte is used as an identifier for created pipes and the rest as the command payload.

Before handling the command, Toneshell creates a new thread that sends heartbeat-like response beacons every 30 seconds. Every beacon must also send the correct lowest byte of the next 4 bytes generated by the initialized PRNG keystream to verify the integrity of the communication to the C2 server. These beacons are formatted as follows:

This version of Toneshell supports the following C2 command codes:

To create a reverse shell, Toneshell sets up two anonymous pipes and creates a new cmd.exe process using the pipes to write data to stdin and read data from stdout and stderr. 

By adding the handles to the pipes into the STARTUPINFO structure of the new process, Toneshell can execute arbitrary commands by simply writing to the pipe. In a new thread, Toneshell peeks the pipe for new output using PeekNamedPipe every 100ms. Any new data is read from the pipe and relayed back to the C2 server.

As of February 2025, X-Force observed a Hive0154 campaign delivering the Pubload backdoor through similar variants of Claimloader as described above. The four samples below share the same C2 server 218[.]255[.]96[.]245:443

In the case of the LNK file above, it executes the legitimate renamed executable to initiate the DLL sideloading of Claimloader:

One of the weaponized ZIP files contained a legitimate executable renamed to "BLA,BLF,BRAS,BRG,BRA,UBA (Research & Analysis) Report.exe". The lure is likely a reference to the Baloch Liberation Army (BLA), a militant separatist group, and other associated militant groups calling for the establishment of a new nation of Balochistan.  The use of such names in the lure is likely an attacker's effort to prompt interested recipients to click the attachment.

Another file, "NSC_Meeting_Minutes_Apr2025.lnk", may refer to a U.S. National Security Council meeting and purported notes taken, which would be of interest to individuals in the U.S. government or other individuals involved in intelligence, academics or journalism involving U.S. governmental affairs. As in the 'BLA' lure potentially targeting Pakistani officials, this lure may be geared toward a U.S. audience with a captive filename to entice the recipients to click the attachment.

A filename, “Invitation to the Inter-Agency Meeting for the 46th ASEAN Summit.exe”, may refer to an upcoming Association of Southeast Asian Nations (ASEAN) summit on May 26 and 27, 2025, in Malaysia.

The filename, “豐德電廠114年5月份現金需求表/114.04~114.06月現金需求表(114年度5月).exe”, may refer to Taiwan’s Fongde power plant’s payment invoice circa April/May 2015.

The last file, “英諾飛保密合約書-NDA-亞航 v英諾飛-AACLlegal1105.exe”, may refer to a supposed non-disclosure agreement between two Taiwanese aerospace firms related to unmanned aerial vehicle (UAV) and aircraft maintenance.

Pubload is a backdoor first described by Cisco Talos in 2022 as an unnamed stager. Note that X-Force identifies the loader for the shellcode as Claimloader and the first-stage shellcode downloader as Pubload, whereas TrendMicro reporting identifies both as Pubload. Claimloader has been used to load both Pubload and Toneshell. Team T5 tracks Pubload and Pubshell as NoFive.

The Pubload shellcode payload begins by XOR decrypting the rest of its shellcode using a 32-byte XOR key:

This self-decrypting routine was only added starting with the second of the four Claimloader samples above. After decryption, it goes on to resolve all its necessary APIs, obfuscated via the ROR13 algorithm. Next, it allocates new memory and sets up its main struct with a hardcoded C2 server address and encryption key, before initiating its main behavior.

Pubload's main loop begins by enumerating the following values:

• C drive's disk volume serial number, through GetVolumeInformationA. Obfuscated by adding 0x12345678, used as a victim ID
• The machine's tick count via GetTickCount
• The victim's computer name via GetComputerNameA
• The victim's username via GetUserNameA

These values are formatted as the first beacon payload:

The payload is encrypted using the hardcoded key in four consecutive XOR loops with different key offsets:

Similar to Toneshell, the encrypted payload is placed into a fake TLS Application Data packet:

The TCP packet is sent to its hardcoded C2 server at

In return Pubload expects a response parsed as

After successful decryption of the payload, the first byte is expected to be 0x06, while the rest of the data is parsed as the struct below to XOR decrypt the received shellcode payload:

Finally, Pubload adds the necessary PAGE_EXECUTE_READWRITE memory protection option and executes the shellcode, while providing the enumerated system info and the C2 server as arguments. 

The shellcode payload (Pubshell) immediately downloaded by Pubload displays several similarities with the Toneshell variant discussed above and has the same functionality—to create a reverse shell through pipes.

It begins with the usual setup procedure, resolving APIs, allocating memory and initializing its main struct and the same key as its parent Pubload sample. 

The first beacon is like Pubload's, except for the first byte of the payload (beacon code), which is 0x0B.

Again, the first byte of the decrypted response acts as a command code to determine the behavior of Pubshell:

Just like Toneshell, Pubshell sends back different response codes to its C2 server, depending on the result of a command. For instance, both the commands to create a new file (27) and write to that file (29) will return the code 42 upon success and 43 on failure. In addition, Pubshell also includes more detailed error message strings, such as:

Similar strings were also observed in other Toneshell variants.

The Pubshell implementation of the reverse shell via anonymous pipes is almost identical to Toneshell. However, instead of running a new thread to immediately return any results, Pubshell requires an additional command to return command results. It also only supports running "cmd.exe" as a shell.

In several ways, Pubload and Pubshell appear to be an independently developed "lite version" of Toneshell, with less sophistication and clear code overlaps.

In December 2024, X-Force observed additional Hive0154 activity targeting Taiwan with the Pubload backdoor. In March, X-Force engaged with a major manufacturing company to investigate a Pubload infection in Taiwan. In the incident, threat actors made use of the HIUPAN USB worm to spread Claimloader and Pubload through USB devices. The worm is likely used as a follow-on payload in initial Pubload infections to boost the number of infections and potentially reach networks that might be airgapped. The relationship of both malware variants was documented previously by Trend Micro. 

HIUPAN (aka U2DiskWatch) is a USB worm, whose main DLL "u2ec.dll" is sideloaded through a legitimate EXE "UsbConfig.exe" when a user unintentionally executes it from a USB device. The worm accomplishes the following tasks:

• Copies itself and its accompanying malware components to a directory on the victim's machine: C:\ProgramData\Intel\_\
• Establishes persistence via the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• Modifies registry keys to ensure hidden files and extensions are not visible in Windows Explorer: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
• Executes the accompanying malware's main executable, and monitors the process to restart if necessary
• Monitors for new USB device connections. If found, HIUPAN copies itself and the accompanying malware components to the new drive in a hidden subdirectory "<Drive_Letter>:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\" and hides any other existing files to ensure "UsbConfig.exe" is the only visible file on the device

HIUPAN uses a config file "$.ini" to store a sleep multiplier and the filenames of its components and the accompanying malware. This makes it extremely easy to configure the worm to spread any malware by simply exchanging payload files and the text-based config.

The configuration file observed in Taiwan-based infections spreading Claimloader and Pubload is displayed below:

HIUPAN is not the only USB worm employed by Hive0154. Several other frameworks and variants distributing malware, such as Toneshell and Pubshell, are still actively spreading and are regularly uploaded to VirusTotal.

The extensive operational scope of Hive0154 discussed in this blog becomes evident through their utilization of diverse tools, innovative techniques and a broad array of potential victims. China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors. Their wide array of tooling, frequent development cycles and USB worm-based malware distribution highlights them as a sophisticated threat actor. Entities at risk of Hive0154 activity should remain at a heightened state of defensive security and remain vigilant with regard to the techniques mentioned in this report.

• Monitor and hunt in networks for TLS 1.2 Application Data packets (header: 17 03 03) without a previous TLS handshake as a sign of a Pubload or Toneshell beacon
• Monitor and hunt in networks for fake TLS 1.3 Application Data packets (header: 17 03 04), which are used by some Toneshell variants. Real TLS 1.3 packets are sent with legacy TLS 1.2 headers for backwards compatibility with proxies only accepting certain TLS versions.
• Monitor and hunt for USB drives containing suspicious executable names, DLLs and hidden directories which could indicate a device infected with a USB worm
• Monitor and hunt for suspicious and unknown directories in C:\ProgramData\ which contain a legitimate EXE vulnerable to DLL sideloading and a corresponding DLL
• Monitor and hunt for persistence techniques such as the registry's Run key and scheduled tasks
• Monitor any unusual network, persistence or file modification activity coming from seemingly benign process executables that sideload a malicious DLL