In mid-2025, China-aligned threat actor Hive0154 deployed new malware variants, including an updated Toneshell backdoor and a novel USB worm called SnakeDisk. Toneshell9 evades detection and supports C2 communication through local proxies. SnakeDisk only executes on devices in Thailand, propagating via USB drives and dropping the Yokai backdoor. The malware shows code overlaps with previous Tonedisk variants. Hive0154 continues to refine its large malware arsenal, targeting organizations worldwide with frequent development cycles. The group uses multiple custom loaders, backdoors, and USB worm families, showcasing advanced capabilities. Defenders should monitor for suspicious network activity, USB drives with hidden components, and implement recommended security measures to mitigate risks from this evolving threat. Author: AlienVault
Related Tags:
usb worm
Yokai
T1053.005
T1091
PUBLOAD
TONESHELL
T1204.002
T1547.001
Thailand
Associated Indicators:
118.174.183.89
188.208.141.196
123.253.34.44