SnakeDisk is a previously undocumented USB worm attributed to the China-aligned threat actor Hive0154, also widely tracked as Mustang Panda. It is a 32-bit DLL and is launched via DLL side-loading. Reporting describes it as part of the broader TONESHELL/ToneDisk malware ecosystem, with strong overlaps to the earlier ToneDisk A / WispRider USB worm framework.
Its primary function is USB-based propagation. SnakeDisk detects existing and newly attached removable drives, including via IOCTL_STORAGE_GET_HOTPLUG_INFO and WM_DEVICECHANGE monitoring. On infected USB media, it hides existing files by moving them into hidden directories, copies multiple malicious components plus configuration data to the drive, marks directories and selected files as SYSTEM and HIDDEN, and leaves a weaponized executable in the USB root named after the device volume or as USB.exe to induce execution. Content also notes that after execution it can restore copied-back files to their original locations.
SnakeDisk supports two execution paths controlled by command-line arguments: -Embedding for USB infection behavior and -hope for immediate payload dropping and execution. It requires a configuration file, validates it with CRC32, and decrypts it with a custom XOR-based algorithm. A notable execution guard is geofencing: it queries http://ipinfo[.]io/json and only continues when the returned country is THA or TH, indicating Thailand-based public IP space.
When triggered, SnakeDisk drops the Yokai backdoor. On USB removal, it can place payload fragments in C:\Users\Public\ and reconstruct libcef.dll together with a randomized executable; the executable is the legitimate signed acwebbrowser.exe, which side-loads the malicious libcef.dll. The dropped libcef.dll was identified as Yokai version 1.0.0. Yokai establishes persistence via a scheduled task named MicrosoftEdgeAcModuleUpdateTask when the user lacks administrator privileges, communicates by HTTP POST to http://118.174.183[.]89/kptinfo/import/index.php, and provides a reverse shell using anonymous pipes for arbitrary command execution.
The malware has been linked to campaigns affecting Thailand and, more broadly, activity observed from Singapore and Thailand. IBM X-Force assessed that SnakeDisk’s Thailand-only execution logic and USB propagation may reflect an operational focus on Thailand, potentially including attempts to reach air-gapped government environments. High-confidence indicators directly mentioned in the content include SnakeDisk SHA256 dd694aaf44731da313e4594d6ca34a6b8e0fcce505e39f8273b9242fdf6220e0 and the associated Yokai DLL SHA256 35bec1d8699d29c27b66e5646e58d25ce85ea1e41481d048bcea89ea94f8fb4b.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
X-Force analyzed a new USB worm, SnakeDisk, which only executes on devices located in Thailand, based on their IP address... The analyzed SnakeDisk sample drops the Yokai backdoor on infected devices.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
The worm displays code overlaps with Tonedisk and is able to detect new and existing USB devices, which it weaponizes as a means of propagation... SnakeDisk begins to loop through all possible drive letters from A-Z... For newly connected devices, a new thread is launched to infect the drive.
By essentially hiding the files a user expects on their USB, the malware increases the chance of a victim believing the USB has not yet been opened and accidentally clicking the weaponized executable on a new machine bearing the same name as the device.
Next, it creates a new event "Windows External Module" which acts as a mutex to prevent multiple instances from running on the same machine... SnakeDisk then ensures it only runs in a single instance by attempting to open a mutex "Global\\<mutx config value>".
After successfully reading its configuration file, SnakeDisk will try to confirm that it is currently executing on a Thailand-based machine. It sends an HTTP GET request to http://ipinfo[.]io/json and checks if the "country" field matches either "THA" or "TH".
Specifically, it moves the existing files on the USB into a new sub-directory, effectively tricking the victim to click on the malicious payload on a new machine by setting its name to the volume name of the USB device, or "USB.exe." Once the malware is launched, the files are copied back to their original location.
The worm displays code overlaps with Tonedisk and is able to detect new and existing USB devices, which it weaponizes as a means of propagation... SnakeDisk begins to loop through all possible drive letters from A-Z... For newly connected devices, a new thread is launched to infect the drive.
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as part of the malware set in Mustang Panda's tooling evolution.
USB-propagating worm that executes only on devices with Thailand-based IPs and drops the Yokai backdoor (per excerpt).
A previously undocumented USB worm referenced as used alongside an updated ToneShell backdoor in Mustang Panda activity.
SnakeDisk is a novel USB worm capable of self-replication and spreading via removable media, attributed to Mustang Panda.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.