Updated Toneshell backdoor and novel SnakeDisk USB worm dropped

Description

In mid-2025, China-aligned threat actor Hive0154 deployed new malware variants, including an updated Toneshell backdoor and a novel USB worm called SnakeDisk. Toneshell9 evades detection and supports C2 communication through local proxies. SnakeDisk only executes on devices in Thailand, propagating via USB drives and dropping the Yokai backdoor. The malware shows code overlaps with previous Tonedisk variants. Hive0154 continues to refine its large malware arsenal, targeting organizations worldwide with frequent development cycles. The group uses multiple custom loaders, backdoors, and USB worm families, showcasing advanced capabilities. Defenders should monitor for suspicious network activity, USB drives with hidden components, and implement recommended security measures to mitigate risks from this evolving threat.