Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm www.ibm.com/think/x-f…

Hive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques, and well-documented activity over the past several years. The group consists of multiple subclusters and engages in cyberattacks targeting public and private organizations, including think tanks, policy groups, government agencies, and individuals. X-Force’s observation of the group’s use of multiple custom malware loaders, backdoors, and USB worm families showcases their advanced development capabilities. Hive0154 activity overlaps with threat actors publicly reported as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris, and Earth Preta.

Hive0154 was observed using a new loader to reflectively inject either Pubload or Toneshell7, as well as directly deploying the more obfuscated Toneshell8 variant. The most recent Pubload variant has undergone minor changes and now supports decoy C2 servers and downloading shellcode payloads via HTTP POST in addition to raw TCP imitating TLS traffic.