- 13
- March
There is a malware that only activates on machines with Thai IP addresses. If you plug a USB drive into a computer abroad — it does nothing. But plug it into your office computer in Bangkok — it instantly installs a backdoor.
This is not hypothetical — this is SnakeDisk, a new malware from the Mustang Panda group (Chinese APT) that IBM X-Force and ThaiCERT have already issued warnings about.
The question is — does your organization still allow employees to freely plug in USB drives?
Who Is Mustang Panda?
Mustang Panda (also known as: Hive0154, Bronze President, Earth Preta, RedDelta, Twill Typhoon) is a Chinese APT (Advanced Persistent Threat) group that has been active since 2012. Their primary targets are government and military agencies in Southeast Asia, particularly Thailand.
What sets Mustang Panda apart from ordinary hackers is that they are state-sponsored, have unlimited resources, and pursue strategic objectives — not just financial theft. According to IBM X-Force reports, this group continuously develops new malware.
What Is SnakeDisk? — A USB Worm That Only Activates on Thai IPs
SnakeDisk is a newly discovered USB Worm identified by IBM X-Force, with unique capabilities never seen before:
| Feature | Details |
|---|---|
| Geofencing | Checks the machine's Public IP — if it is not a Thai IP, the malware immediately stops execution |
| Propagation | Hides real files on the USB in a hidden subfolder, then creates a "USB.exe" lure file for the victim to open |
| Disguise | When the victim opens it, real files are restored normally — the victim has no idea they just got infected with malware |
| Encryption | Uses dual-layer XOR decryption with a 320-byte key — difficult to detect with antivirus |
| Payload | Installs Yokai Backdoor allowing hackers to remotely control the machine |
How Does SnakeDisk Work? (Step by Step)
- Victim plugs in an infected USB — possibly received at a seminar, meeting, or picked up from a "forgotten" USB drive
- SnakeDisk checks the IP — verifies whether the machine is in Thailand; if not, it stops immediately
- Hides real files — moves all files on the USB into a hidden subfolder
- Creates USB.exe — creates a lure file named after the USB drive or "USB.exe"; the victim sees only one file and opens it
- Installs Yokai Backdoor — opens a Reverse Shell allowing hackers to access the machine remotely
- Restores real files — the victim sees their files return to normal and suspects nothing
- Spreads further — when another USB is plugged into the infected machine, the worm copies itself to that USB as well
Yokai Backdoor — Remote Control by Hackers
Once SnakeDisk successfully installs the Yokai Backdoor, hackers can:
- Execute any command on the victim's machine — as if sitting in front of the computer themselves
- Steal files — classified documents, contracts, procurement data, budget information
- Install additional malware — such as keyloggers to capture passwords, or ransomware to encrypt data
- Lateral Movement across the network — from an employee's workstation to ERP servers or databases
Yokai was first discovered in attacks on Thai government officials in 2024 by Netskope, and shares structural similarities with TONESHELL, Mustang Panda's primary malware.
Why Does It Target Thailand Exclusively?
IBM X-Force assesses that SnakeDisk likely originates from a sub-group within Mustang Panda that focuses specifically on Thailand. Reasons Thailand is a target:
- Geopolitical situation — the Thai-Cambodia border conflict in 2025 made Thailand a prime intelligence target
- National security data — Thai government and military agencies hold valuable strategic information
- Economic strategy — government budget and procurement data are key targets for economic espionage
TONESHELL8 and TONESHELL9 — New Backdoor Variants with Better Evasion
In addition to SnakeDisk, Mustang Panda also released 2 new TONESHELL variants simultaneously:
| Malware | Special Capability |
|---|---|
| TONESHELL8 | Secretly copies code from OpenAI's ChatGPT website into the malware to fool antivirus software into thinking it is a legitimate program |
| TONESHELL9 | Communicates with C2 Server through the organization's own proxy — making traffic appear as normal usage, nearly undetectable by firewalls |
What is alarming is that TONESHELL8 uses code from the ChatGPT website as "Junk Code" embedded in the malware to fool antivirus static analysis — demonstrating that hackers are continuously using AI as an attack tool.
6 USB Attack Prevention Measures for Organizations
Organizations with ERP systems and critical data must take immediate action:
1. Disable USB Autorun on All Machines
Disable Autorun/AutoPlay on all Windows machines in the organization to prevent malware from running automatically when a USB is plugged in — this is the first thing to do immediately.
2. Implement USB Device Control Policy
Set a policy that only company-registered USB devices are allowed. Unknown USB drives are automatically blocked. Modern Endpoint Protection systems support USB Whitelisting.
3. Scan Every USB Before Use
Require employees to scan USB drives with updated antivirus before opening any files. Absolutely prohibit using USB drives "found" in public places, meeting rooms, or at seminars.
4. Enable File Extension Display on Windows
SnakeDisk uses a file named "USB.exe". If Windows hides file extensions, the victim only sees "USB" — which looks like a normal folder. Enabling file extension display makes the ".exe" clearly visible. Read more: Data Security in ERP Systems
5. Use 2FA + Role-based Access Control in ERP Systems
Even if hackers install a backdoor, if the ERP system has 2FA + Role-based Access Control, they cannot access critical data because an additional authentication layer is required.
6. Monitor Audit Trail for USB Activity
A good ERP system must log all activities — who accessed what data, when, and from which IP. If a backdoor secretly extracts data, the Audit Trail will immediately reveal abnormal behavior. Read more: OWASP Top 10 Vulnerabilities to Watch
Impact on Thai Government Agencies
The primary targets of SnakeDisk are government and military agencies — organizations that hold vast amounts of critical data:
| Data at Risk | Impact If Stolen |
|---|---|
| Budget Data | Reveals government budget allocations — used as economic intelligence |
| Procurement Data | Reveals what was purchased, from whom, and at what price — exploitable for business and political advantage |
| Personnel Data | Organization structure, positions, salaries — used for Social Engineering follow-up attacks |
| Classified Documents | Contracts, policies, strategic plans — impacts national security |
"A USB Drive is the digital-age Trojan Horse — it looks harmless but hides danger inside."
- IBM X-Force Threat Intelligence Report
Conclusion — A Small Flash Drive Can Destroy an Entire Organization
SnakeDisk from Mustang Panda is no ordinary malware — it was specifically designed to target Thailand. Its targets are government and military agencies, and it spreads through USB drives that Thai people still use every day.
Organizations with ERP systems storing budget, procurement, and personnel data must upgrade their USB Security policies immediately before it is too late.
Saeree ERP — Designed for Government-Grade Security
2FA, Role-based Access Control, Full Audit Trail, Encrypted Database — even if hackers install a backdoor, they cannot access critical data
Request Free DemoCall 02-347-7730 | sale@grandlinux.com
References
- IBM X-Force. "Hive0154, aka Mustang Panda, drops updated Toneshell backdoor and novel SnakeDisk USB worm." ibm.com
- The Hacker News. "Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs." thehackernews.com
- ThaiCERT. "Mustang Panda Deploys SnakeDisk Malware to Target Thai IPs and Deliver Yokai Backdoor." thaicert.or.th
- Picus Security. "Breaking Down Mustang Panda Windows Endpoint Campaign." picussecurity.com
- Cybersecurity News. "Mustang Panda With SnakeDisk USB Worm Seeking to Penetrate Air-Gap Systems." cybersecuritynews.com
