In mid-2025, the China-aligned advanced persistent threat (APT) group Hive0154 deployed updated malware variants, notably the Toneshell9 backdoor and a novel USB worm named SnakeDisk. Toneshell9 is an evolution of the Toneshell backdoor family, designed to evade detection by leveraging local proxy servers for command and control (C2) communications, thereby complicating network-based detection efforts. This backdoor supports stealthy remote access and persistent control over compromised systems. SnakeDisk is a USB worm that specifically targets devices in Thailand, propagating via removable USB drives. Upon execution, SnakeDisk drops the Yokai backdoor, another sophisticated malware component, enabling further espionage activities. The malware exhibits code overlaps with previous Tonedisk variants, indicating continuous refinement and reuse of proven codebases by Hive0154. The group employs multiple custom loaders, backdoors, and USB worm families, demonstrating advanced capabilities and frequent development cycles to maintain operational effectiveness. The campaign's tactics include lateral movement via USB devices, evasion of detection through proxy-based C2 channels, and deployment of multiple malware families to establish persistent footholds. Indicators of compromise include specific file hashes and IP addresses linked to the malware infrastructure. Defenders are advised to monitor for suspicious network activity, especially proxy communications, and to scrutinize USB devices for hidden or unauthorized components. The threat actor's focus on espionage and use of USB propagation techniques highlight the need for comprehensive endpoint and network security controls.

For European organizations, the threat poses a medium risk primarily due to the espionage focus and the use of USB worms and backdoors that can facilitate unauthorized access and data exfiltration. Although SnakeDisk currently executes only on devices in Thailand, the updated Toneshell backdoor has global targeting potential, which could impact European entities, especially those with supply chain or business ties to Southeast Asia or China. The use of local proxies for C2 communications complicates detection and may allow attackers to maintain persistence undetected for extended periods. The USB worm vector, while geographically limited for SnakeDisk, underscores the risk of removable media as an infection vector, which remains relevant for European organizations with international operations or employees traveling to affected regions. The espionage nature of Hive0154 suggests targeting of sensitive intellectual property, government, defense, or critical infrastructure sectors. The medium severity reflects the complexity of the malware and its stealth capabilities, balanced against the current limited geographic execution of the USB worm. However, the evolving nature of Hive0154’s arsenal means European organizations should remain vigilant against potential future expansions of this threat.

European organizations should implement a layered defense strategy tailored to the specific tactics used by Hive0154. Key measures include: 1) Enforce strict USB device control policies, including disabling autorun features and restricting use of unauthorized removable media. 2) Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous behaviors associated with backdoors and worms, such as unusual proxy usage or hidden file system activity. 3) Monitor network traffic for proxy-based C2 communications, including the use of local proxies and uncommon ports, and implement network segmentation to limit lateral movement. 4) Conduct regular threat hunting exercises focusing on indicators of compromise such as the provided file hashes and IP addresses. 5) Educate employees on the risks of USB devices and implement physical security controls to prevent unauthorized device usage. 6) Maintain up-to-date threat intelligence feeds and integrate them into security monitoring tools to detect emerging Hive0154 activity. 7) Apply strict access controls and multi-factor authentication to limit attacker persistence and privilege escalation. 8) Regularly audit and harden systems against known persistence techniques used by Hive0154, including custom loaders and backdoors. These targeted actions go beyond generic advice by focusing on the specific attack vectors and malware behaviors observed in this campaign.