Mustang Panda Uses SnakeDisk USB Worm to Deliver Yokai Backdoor to Thailand-Based Targets

Summary of the discovery

IBM X-Force researchers Golo Mühr and Joshua Chung reported that the China-aligned threat actor known as Mustang Panda has deployed an updated TONESHELL backdoor alongside a previously undocumented USB worm called SnakeDisk. According to the analysis, the worm is configured to execute only on devices that have Thailand-based IP addresses and, when successful, drops the Yokai backdoor.

“The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week.

Background and context: why this matters

Removable-media‑based malware remains a favored vector for targeted intrusions because it bypasses network perimeter controls and can establish a foothold in environments that are otherwise well defended. Nation-state‑aligned groups in particular use tailored implants and delivery mechanisms to limit collateral impact and reduce detection signatures.

The combination reported by IBM — a previously undocumented USB worm that enforces a geographic execution check, paired with an updated remote access backdoor — underscores an operational emphasis on precision targeting. By triggering only when the host appears to be in Thailand, the operator reduces the chance of discovery by analysts elsewhere and increases the likelihood that the payload reaches intended victims.

Technical analysis and practitioner guidance

IBM’s public summary identifies three key elements that defenders and responders should prioritize:

• Use of a USB worm (SnakeDisk) as the initial delivery vector.
• Geolocation gating: execution is conditional on Thailand-based IP addresses.
• Deployment of a backdoor (Yokai) and an updated TONESHELL implant.

For security teams, this suggests a multi-layer response strategy — detection and containment at the endpoint and removable-media layer, network monitoring for early indicators, and rapid forensic analysis of suspected hosts.

Recommended investigative and defensive actions for practitioners:

• Forensic collection of removable media: When a suspected infection is reported, collect the USB device and create a forensically sound image for analysis. Look for autorun.inf, suspicious executable files, and newly created files with recent timestamps.
• Endpoint telemetry and EDR hunts: Query EDR/endpoint logs for ProcessCreate and file event chains initiated from removable media mounts. Look for child processes spawned from explorer.exe or from file locations commonly used by USB-delivered malware.
• Network and geolocation checks: Because SnakeDisk checks for Thailand-based IP addresses, correlate local host IP/geolocation, VPN connections, and any proxy activity that could affect geolocation. Be aware that geofencing checks can be evaded by proxies and VPNs under attacker control.
• Detecting Yokai and TONESHELL activity: Monitor for anomalous DNS resolutions, persistent outbound connections to uncommon endpoints, and the presence of unauthorized services or scheduled tasks. Ensure EDR rules flag known backdoor behaviors like process injection, registry persistence, and remote command execution patterns.
• Containment and remediation: Isolate infected hosts immediately, preserve volatile memory for analysis, and ensure removal includes eradication of persistence mechanisms. Reimage when uncertainty remains about lateral movement or deep compromise.
• Harden removable media policy: Enforce device control policies (whitelisting, read-only mounts, encryption), disable Windows Autorun/Autoplay, and educate users about the risks of unknown USB devices.

Comparable cases and broader trends

USB-borne attacks are not new: high-profile cases such as Stuxnet demonstrated the potential for removable media to bridge air gaps and infect highly controlled environments. More broadly, targeted operators have repeatedly used tailored delivery mechanisms — including spearphishing, watering‑hole sites, and USB devices — to limit detection and maximize success against specific geographic or organizational targets.

Recent years have also shown an increase in modular backdoors and customized implants that enable longer-term access and data exfiltration. The deployment pattern described by IBM — pairing an initial worm with a persistent backdoor — fits a well-documented playbook used by sophisticated actors to establish, expand and maintain access.

Potential risks and implications

The immediate operational implications of this campaign include:

• Targeted compromise of systems within Thailand: The geofencing behavior suggests the actor’s objective is focused on Thailand-based entities, increasing risk for government, defense, critical infrastructure and high-value private-sector targets in that country.
• Low-noise persistence: By restricting execution to a specific geography, the worm reduces accidental infections elsewhere and limits the pool of potential analysts who might detect and publicize the tool, allowing longer dwell time.
• Lateral movement and data access: Once a backdoor like Yokai is installed, operators can perform reconnaissance, credential harvesting, lateral movement and data exfiltration. The presence of an updated TONESHELL implant suggests continued capability development by the actor.
• Supply-chain and air-gapped risk: USB worms can be especially effective where hosts are isolated from the internet or where removable media transfers are routine (field devices, classified networks, removable backups).

Actionable recommendations

Organizations — particularly those with operations in Thailand or with workflows that rely on removable media — should adopt a layered defensive posture:

• Policy and endpoint controls
  • Disable Autorun/Autoplay and enforce Group Policy settings to restrict execution from removable media.
  • Implement device control/USB whitelisting solutions to limit which USB devices can be mounted and what file types can be executed.
  • Limit local administrative rights and use application allow-lists to prevent unauthorized executables from running.
• Detection and monitoring
  • Instrument endpoints with EDR and configure hunts for suspicious removable-media‑initiated behaviors (process chains originating from removable disks, unexpected DLL loads, and persistence artifacts).
  • Monitor network telemetry for anomalous outbound connections, unusual DNS queries, and beacon-like behaviors consistent with backdoor C2 communications.
• Incident response and readiness
  • Develop and rehearse playbooks for removable-media incidents that include media seizure, imaging, memory capture and containment procedures.
  • Share indicators and telemetry with national CERTs, industry ISACs and trusted intelligence providers. Consult vendor and public analyses (for example, the IBM X-Force write-up referenced here) for technical indicators and YARA signatures where available.
• Human factors and supply-chain hygiene
  • Train staff to treat unlabelled or unexpected USB devices as potential threats; discourage use of personal or unvetted removable media.
  • Inspect and control USB usage in sensitive environments, including field offices and third-party contractors who may move devices between networks.

Conclusion

The IBM X-Force disclosure about Mustang Panda’s use of a previously undocumented USB worm, SnakeDisk, to deliver the Yokai backdoor — combined with an updated TONESHELL implant — highlights a targeted, low-noise approach that leverages removable media and geolocation checks to constrain execution to Thailand-based hosts. Defenders should prioritize removable-media controls, endpoint and network monitoring, rapid forensic capabilities, and user education to reduce exposure. Organizations operating in or with ties to Thailand should consider heightened vigilance and collaborate with trusted threat-intelligence sources to obtain technical indicators and mitigation guidance.

Source: thehackernews.com