By rssfeeds-admin The activities, observed throughout mid-2025, highlight the group’s continued refinement of malware ecosystems aimed at infiltrating hard-to-reach networks, particularly in Thailand and neighboring regions.
Toneshell9: Proxy-Evading Backdoor
In July 2025, researchers discovered Toneshell9, the latest evolution of Hive0154’s longstanding backdoor family. It was distributed via trojanized archives impersonating legitimate utilities, such as “USB Safely Remove.”
Unlike its predecessors, this variant embeds advanced evasion and communication features designed to bypass enterprise security controls.
When executed through DLL sideloading, Toneshell9 initializes data structures to build encrypted beacons masquerading as TLS 1.2 traffic.
Critically, it enumerates Windows registry hives (HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, and HKEY_USERS) to extract locally configured proxy servers.
By leveraging these registered proxies, Toneshell9 blends seamlessly with legitimate enterprise traffic and circumvents strict egress filtering.
The malware supports up to two reverse shells in parallel, enabling operators to execute arbitrary commands through anonymous pipes to cmd.exe.
Communication with its command-and-control (C2) infrastructure, including IP 123.253.34[.]44 and domain slickvpn[.]com, is tunneled over proxy-encrypted connections, making detection more challenging.
At the time of discovery, the sample displayed zero detections on VirusTotal, underscoring its novelty.
SnakeDisk: USB Worm Targeting Thailand
In August 2025, X-Force identified SnakeDisk, a new USB worm overlapping with Hive0154’s older Tonedisk family. Designed for propagation across removable media, SnakeDisk activates only on systems with Thailand-based IP addresses, indicating country-specific targeting.
The worm scans for connected USB drives, creating hidden directories that contain both weaponized executables and users’ original files to avoid suspicion. The malicious launcher masquerades as the device’s volume name executable, tricking victims into execution.
Once triggered, SnakeDisk drops staged payloads, including a signed benign binary (acwebbrowser.exe) used to sideload the Yokai backdoor, previously tied to campaigns against Thai officials.
Yokai establishes persistence via scheduled tasks and opens a reverse shell through HTTP POST connections to its C2 server at 118.174.183[.]89.
This allows attackers to remotely execute commands, exfiltrate data, and maintain a foothold within targeted air-gapped or sensitive government networks.
The discovery of SnakeDisk aligns closely with escalating geopolitical tensions between Thailand and Cambodia during mid-2025, suggesting a deliberate attempt by Mustang Panda to exploit the instability for espionage purposes.
By developing USB-borne worms configured for geo-restricted execution, Hive0154 demonstrates an explicit focus on breaching air-gapped government systems, a hallmark of high-value espionage operations.
X-Force assesses with high confidence that Hive0154 will continue evolving custom malware frameworks like Toneshell, Pubload, and SnakeDisk.
Defenders are urged to monitor suspicious TLS-like traffic, USB devices containing hidden directories or executables, and signs of DLL sideloading in C:ProgramData directories, which remain consistent tradecraft markers of Mustang Panda campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Air-Gap Breach Tactics – Mustang Panda Deploys SnakeDisk USB Worm and Toneshell Backdoor appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.