China-linked Mustang Panda deploys advanced SnakeDisk USB worm
The China-linked Advanced Persistent Threat (APT) group known as Mustang Panda has been spotted using a new, highly sophisticated USB worm called SnakeDisk in recent attacks. This new variant is part of the APT group's ongoing efforts to expand its malware arsenal and target public and private organizations worldwide.
Mustang Panda has been active since at least 2012, targeting American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. However, in recent months, the group has shifted its focus to Southeast Asia, particularly Thailand.
In February 2024, Trend Micro researchers observed the group targeting Asian countries, including Taiwan, Vietnam, and Malaysia. In April 2025, Mustang Panda deployed a new custom backdoor, named MQsTTang, in attacks targeting Europe, Asia, and Australia. These attacks demonstrate the group's continued efforts to evolve its tactics, techniques, and procedures (TTPs).
The SnakeDisk USB worm: A new level of sophistication
SnakeDisk is a highly advanced USB worm that was first observed in mid-2025. This malware targets devices located in Thailand, based on their public IP address, and distributes the Yokai backdoor, which opens a reverse shell for attackers.
The SnakeDisk worm uses local proxies to hide inside enterprise traffic, and runs two reverse shells at once. It scans drive letters to find hotplug USBs and checks previous infections before updating its payloads. The worm also moves all USB files into a hidden folder, making users more likely to click on the newly dropped malicious executable.
The Yokai backdoor that SnakeDisk drops is similar to other Hive0154 backdoor families like Toneshell and Pubload. It establishes persistence via a scheduled task for non-admins and connects to a hardcoded C2 via POST requests, sending encrypted data.
The motivations behind SnakeDisk
Researchers believe that the deployment of SnakeDisk was motivated by recent geopolitical tensions involving Thailand. In mid-2025, border clashes erupted between Thailand and Cambodia, escalating with artillery, airstrikes, and naval fire. A leaked call toppled Thailand's PM, and tensions peaked with Cambodia accusing Thailand of plotting an assassination.
With China backing Cambodia, Hive0154 likely exploited the crisis to deploy SnakeDisk and target Thai government networks. This attack demonstrates the group's ability to adapt its tactics in response to changing geopolitical circumstances.
The implications for defenders
The researchers point out that subclusters commonly reuse and share code across worm and backdoor families, making it challenging for defenders to detect and respond to these threats.
"Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles," concludes the report. "X-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large malware arsenal and target public and private organizations worldwide."
The researchers also note that the malware discussed in the report is likely still in early development, allowing defenders to adopt detection mechanisms before its widespread use.