A China-linked hacker group known as Mustang Panda has been spotted using a dangerous new USB worm named SnakeDisk.
Mustang Panda Unleashes New USB Worm
The group, also known under names like Hive0154, Camaro Dragon, RedDelta, and Bronze President, has been active since at least 2012. Over the years, they have targeted governments, think tanks, non-government organizations, and even religious organizations across the world.
In recent attacks, Mustang Panda has combined SnakeDisk with an updated version of their TONESHELL malware. This new combination makes it easier for the hackers to break into computer systems.
The group has previously focused on countries in Asia, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In 2022, they used official reports on Ukraine to trick victims into downloading malicious files. Once the files were opened, malware would quietly install itself, giving the hackers control of the computers.
SnakeDisk Specifically Targets Thailand
The SnakeDisk USB worm works by infecting removable drives like USB sticks. What makes it unusual is that it only activates on devices located in Thailand. It checks the computer’s location using its public IP address and will stop working if the device is not in Thailand.
Once a USB drive is connected, SnakeDisk hides the original files and places a malicious program that looks like the USB’s name. This tricks people into opening the harmful file. When the program runs, it secretly restores the original files to avoid detection. The worm can also copy itself to other drives, spreading the infection further.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
SnakeDisk drops another malware called Yokai, which allows hackers to control the infected system. Yokai can open a hidden connection to send and receive commands, giving attackers complete access to the computer. It also sets up scheduled tasks to make sure it stays active even if the user restarts the system.
IBM X-Force researchers observed that SnakeDisk uses a technique called DLL sideloading. This allows it to disguise harmful files as trusted applications, making it harder for antivirus programs to detect. The worm has two main modes: one that infects USB drives when removed and another that immediately drops the malware on the system.
Connection to Geopolitical Tensions
Experts believe Mustang Panda may have deployed SnakeDisk in connection with recent conflicts involving Thailand. Border clashes with Cambodia escalated in 2025, including artillery and airstrikes.
Political instability also grew when a leaked phone call led to the resignation of Thailand’s Prime Minister. With China supporting Cambodia during this period, Mustang Panda likely exploited the situation to target Thai networks with SnakeDisk.
Researchers uncover stealthy malware named “ModStealer” draining crypto browser wallets
IBM X-Force reports show that SnakeDisk closely resembles earlier malware used by Mustang Panda, including Toneshell and Tonedisk. The group continues to reuse and improve their malware families, making them a persistent threat to governments and organizations in Asia and beyond.
The worm’s technical design ensures it can spread silently, avoid detection, and maintain long-term access to infected devices.
Overall, the appearance of SnakeDisk highlights the growing sophistication of Mustang Panda’s operations. Their malware is carefully designed to target specific countries, spread through common tools like USB drives, and avoid standard security measures.
Organizations in Thailand are at particular risk, and the worm’s design shows how advanced hacking techniques are being used in connection with real-world conflicts.
