216.73.217.172

Updated Toneshell backdoor and novel SnakeDisk USB worm dropped

· Published 11/09/2025 19:39 · Modified 11/09/2025 20:20

Export JSON

Essential information

Published
11/09/2025 19:39
Modified
11/09/2025 20:20
Tags
2025-09-11 backdoor china espionage pubload snakedisk thailand toneshell usb worm yokai
Related entities
7 observables, 1 intrusion sets (apt), 22 techniques (mitre), 3 others

Description

In mid-2025, -aligned threat actor Hive0154 deployed new malware variants, including an updated and a novel called . Toneshell9 evades detection and supports C2 communication through local proxies. only executes on devices in , propagating via USB drives and dropping the . The malware shows code overlaps with previous Tonedisk variants. Hive0154 continues to refine its large malware arsenal, targeting organizations worldwide with frequent development cycles. The group uses multiple custom loaders, backdoors, and families, showcasing advanced capabilities. Defenders should monitor for suspicious network activity, USB drives with hidden components, and implement recommended security measures to mitigate risks from this evolving threat.

External references