China-Aligned Hackers Unleash Upgraded Toneshell and New USB Worm

IBM X-Force has published new findings on Hive0154, a China-aligned threat actor also tracked under names such as Mustang Panda, Stately Taurus, and Camaro Dragon. The group has been active for years, leveraging a vast arsenal of custom loaders, backdoors, and USB-propagating malware.

According to the researchers, “Hive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques, and well-documented activity over the past several years.”

A key discovery is Toneshell9, an upgraded variant of the long-running Toneshell malware family. This new version was embedded in trojanized archives masquerading as “USB Safely Remove” software. At the time of analysis, IBM X-Force noted that “it does not have any detections on VirusTotal.”

Toneshell9 introduces several significant features:

• Proxy-Aware C2 Communication – The malware queries Windows registry hives for locally configured proxy servers, blending its command-and-control traffic into legitimate enterprise network flows.
• Stealth Enhancements – Researchers observed junk code routines that mimic normal behavior, such as “retrieving the current number of CPU ticks, storing the result as a string and deallocating it again.”
• Dual Reverse Shells – It supports two active reverse shells simultaneously, enabling operators to maintain persistent command execution.

By exploiting trusted proxy configurations, Toneshell9 circumvents strict egress filtering controls commonly deployed in enterprise environments. As X-Force explained, “By using a proxy already configured on an infected device, Toneshell can effectively blend in with other network traffic.”

In mid-August 2025, X-Force also uncovered SnakeDisk, a novel USB worm. Unlike many worm families that indiscriminately spread, SnakeDisk is geographically targeted:

“The worm only executes on devices located in Thailand, based on their IP address.”

SnakeDisk propagates by detecting new and existing USB drives, moving user files into hidden directories, and replacing them with malicious launchers disguised under familiar filenames. Its ultimate payload is the Yokai backdoor, previously tied to campaigns against Thai officials in December 2024.

The timing appears significant, given regional instability. The report highlights that “recent geopolitical events may have provided impetus for Hive0154 to initiate conduct operations against Thailand.”

Yokai, dropped by SnakeDisk, establishes persistence through scheduled tasks and sets up reverse shells for command execution. X-Force observed that “Yokai shows overlaps with other backdoor families attributed to Hive0154, such as Pubload/Pubshell and Toneshell,” suggesting a shared development lineage across the group’s toolset.

The discovery of SnakeDisk coincided with heightened tensions between Thailand and Cambodia, including border skirmishes, political fallout, and allegations of assassination plots. Analysts believe the selective targeting of Thai machines hints at attempts to penetrate air-gapped government networks through infected USB media.

The IBM X-Force assessment is clear: “Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles… The malware discussed in the report above is likely still in early development, allowing defenders to adopt detection mechanisms before their widespread use.”

Related Posts:

• China-Aligned Hive0154 APT Strikes Tibetan Community: Pubload Backdoor Delivered via Phishing Lures
• Mustang Panda Backdoor Exposed: New ToneShell Malware Masquerades as Chrome to Spy on Gov’t & Military
• China-Aligned APTs Intensify Cyber Espionage on Taiwan’s Semiconductor Industry
• ToneShell Backdoor Evolves With Anti-Analysis Tricks, Continues Targeting Myanmar
• ToneShell Backdoor Targets IISS Defence Summit Attendees in Latest Espionage Campaign