Ethical Hacking News
Mustang Panda has been linked to a series of sophisticated malware attacks targeting Thailand-based IPs, using updated versions of backdoors and USB worms to deliver malicious payloads via Spear-phishing emails.
The sophisticated malware attack has been attributed to the China-aligned threat actor Mustang Panda. The attackers used an updated version of backdoor TONESHELL and a previously undocumented USB worm SnakeDisk. The malicious payloads were primarily delivered via Spear-phishing emails. SnakeDisk was geofenced to execute only on public IP addresses in Thailand. The use of SnakeDisk and Yokai suggests a refined threat actor arsenal with frequent development cycles. The deployment of these malicious payloads highlights the importance of robust email security measures. The attackers used locally configured proxy servers to facilitate two active reverse shells in parallel.
THN has recently reported on a sophisticated malware attack that has been attributed to the China-aligned threat actor known as Mustang Panda. According to the report, the threat actor has been using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk. The malicious payloads were primarily delivered via Spear-phishing emails, which dropped malware families like PUBLOAD or TONESHELL.
IBM X-Force researchers Golo Mühr and Joshua Chung conducted an in-depth analysis of the threat actor's tactics, techniques, and procedures (TTPs). They observed that the worm only executed on devices with Thailand-based IP addresses and dropped the Yokai backdoor. The use of SnakeDisk as a propagation mechanism was also noted, where it moved existing files on the USB into a new sub-directory, effectively tricking the victim to click on the malicious payload on a new machine.
One notable aspect of the malware is that it's geofenced to execute only on public IP addresses geolocated to Thailand. The researchers found overlaps between SnakeDisk and TONEDISK (aka WispRider), another USB worm framework under the TONESHELL family. This suggests that the threat actor may have a sub-group within Mustang Panda that is hyper-focused on Thailand.
The analysis also revealed that the use of SnakeDisk and Yokai likely points to a refined and evolved threat actor arsenal. IBM X-Force noted that Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles. This group appears to maintain a considerably large malware ecosystem with frequent overlaps in both malicious code, techniques used during attacks, as well as targeting.
The deployment of SnakeDisk and Yokai also underscores the continued evolution of the threat actor's tactics, with a focus on exploiting vulnerabilities in Southeast Asia. The fact that these malicious payloads were primarily delivered via Spear-phishing emails highlights the importance of robust email security measures to prevent such attacks.
Furthermore, the use of locally configured proxy servers by TONESHELL variants to facilitate two active reverse shells in parallel is a significant finding. This technique allows the malware to blend in with enterprise network traffic and evade static detection methods. The incorporation of junk code copied from OpenAI's ChatGPT website within the malware's functions also serves as an evasion mechanism, making it more challenging for security analysts to detect.
In conclusion, the recent attack attributed to Mustang Panda highlights the sophisticated nature of modern malware threats. As threat actors continue to evolve and refine their tactics, it is essential for organizations to stay vigilant and implement robust security measures to prevent such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Mustang-Panda-Unpacking-the-Sophisticated-Malware-Attacks-on-Thailand-Based-IPs-ehn.shtml
https://thehackernews.com/2025/09/mustang-panda-deploys-snakedisk-usb.html
Published: Mon Sep 15 14:25:36 2025 by llama3.2 3B Q4_K_M
