Updated Toneshell backdoor and novel SnakeDisk USB worm dropped

SUMMARY :

In mid-2025, China-aligned threat actor Hive0154 deployed new malware variants, including an updated Toneshell backdoor and a novel USB worm called SnakeDisk. Toneshell9 evades detection and supports C2 communication through local proxies. SnakeDisk only executes on devices in Thailand, propagating via USB drives and dropping the Yokai backdoor. The malware shows code overlaps with previous Tonedisk variants. Hive0154 continues to refine its large malware arsenal, targeting organizations worldwide with frequent development cycles. The group uses multiple custom loaders, backdoors, and USB worm families, showcasing advanced capabilities. Defenders should monitor for suspicious network activity, USB drives with hidden components, and implement recommended security measures to mitigate risks from this evolving threat.

OPENCTI LABELS :

china,pubload,backdoor,toneshell,espionage,yokai,thailand,usb worm,snakedisk


AI COMMENTARY :

1. The rise of China-aligned threat actor Hive0154 has taken a new turn in mid-2025 with the unveiling of an updated Toneshell backdoor and a novel USB worm named SnakeDisk. This development underscores the group’s commitment to expanding its arsenal and refining its malware for espionage operations. Hive0154’s focus on delivering bespoke malware variants highlights an ongoing campaign that spans regions and industries, revealing a sophisticated adversary intent on evading standard security measures.

2. The revamped Toneshell backdoor, now dubbed Toneshell9, demonstrates enhanced evasion techniques designed to slip past traditional detection engines. By leveraging local network proxies for command-and-control communication, the malware masks its traffic as benign internal activity. Victim environments infected with Toneshell9 may show minimal signs of compromise, making it all the more dangerous for organizations that rely solely on signature-based defenses.

3. In parallel with the updated backdoor, Hive0154 deployed SnakeDisk, a USB-based worm that activates exclusively on machines located in Thailand. SnakeDisk propagates by copying itself onto removable drives and then silently installs the Yokai backdoor on any vulnerable host. This targeted approach suggests a specific espionage objective in the region, leveraging physical media to breach air-gapped or heavily segmented networks where online delivery methods would fail.

4. Analysis reveals that both Toneshell9 and SnakeDisk share code overlaps with earlier Tonedisk variants, indicating a lineage of continuous development and refinement. Hive0154 engineers frequently repurpose and evolve existing code, enabling rapid iteration of custom loaders, backdoors, and worm components. This modular development cycle allows the group to tailor malware for diverse operational requirements, maintaining pressure on defenders across multiple fronts.

5. Hive0154’s global targeting strategy has escalated alongside its technical advances. Organizations in key sectors worldwide have reported suspicious activity linked to this group, including unauthorized proxy traffic, hidden USB payloads, and anomalous process execution. The combination of remote and physical attack vectors illustrates the adversary’s willingness to exploit every available channel for espionage, data theft, and persistent access.

6. To mitigate the threat posed by Hive0154’s evolving toolkit, defenders should maintain vigilant network monitoring for proxy-like communications and implement strict policies governing the use of removable media. Endpoint protection must be complemented by behavioral analytics capable of identifying stealthy backdoor activity. Regularly updating detection rules to include IoCs related to Toneshell and SnakeDisk, conducting USB device audits, and enforcing strong access controls will help organizations stay ahead of this agile and dangerous adversary.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Updated Toneshell backdoor and novel SnakeDisk USB worm dropped