Executive Summary
Report Date: September 19, 2025 Threat Actor: Mustang Panda (TA416, RedDelta, BRONZE PRESIDENT) Target: Thai Government and Military Entities Campaign: 2025 "SnakeDisk" USB Worm Attack
Throughout 2025, the China-aligned cyber espionage group Mustang Panda executed a highly targeted campaign against Thai government and military entities. The operation utilized a new variant of the SnakeDisk USB worm, which was engineered to activate only within Thailand. Notably, this campaign's timing and targets strongly correlate with the renewed border conflict between Thailand and Cambodia.
While there is no direct evidence definitively linking this cyber operation to the geopolitical conflict, the overlapping circumstances are significant. This report provides a comprehensive analysis of the technical evidence, the campaign's timeline, and presents the strong circumstantial indicators that suggest a potential connection.
1. Threat Actor Profile
- Aliases: Mustang Panda, TA416, RedDelta, BRONZE PRESIDENT, MITRE Group G0129
- Attribution: China-aligned, assessed to be state-sponsored.
- Active Since: At least 2014.
- Typical Targets: Governments, NGOs, law enforcement, and strategic organizations, with a pronounced focus on Southeast Asia.
- 2025 Focus: A surgical espionage campaign against Thai government and military entities.
2. Geopolitical Context: A Parallel Crisis
The year 2025 has been defined by a severe deterioration in Thailand-Cambodia relations over disputed territories. This provides important geopolitical context in which the cyber campaign occurred.
- April-May 2025: Minor skirmishes between border patrols escalate, leading to significant military buildups.
- July 2025: A major firefight results in casualties and triggers emergency sessions in the Thai Parliament.
- August-September 2025: Despite ceasefire talks, the situation remains highly volatile.
It is during this same timeframe that the SnakeDisk campaign became active and escalated.
3. Technical Deep Dive: Malware Arsenal & Attack Chain
Mustang Panda’s toolkit is purpose-built for stealthy, long-term espionage.
Primary Tools in the 2025 Campaign
- SnakeDisk USB Worm: The key initial access vector.
- Propagation: Spreads via infected USB drives (T1091), a method designed to breach secure or air-gapped government and military networks.
- Geo-Fencing: Contains a critical conditional execution check. The worm's payload only activates if the victim machine has a Thai IP address. This is compelling evidence of its specific intent to target entities within Thailand.
- Payload: Deploys the Yokai backdoor for persistent access.
- Yokai Backdoor: A full-featured remote access trojan (RAT).
- Capabilities: Enables remote command execution, file system manipulation, and data exfiltration.
- Evasion: Uses encrypted command and control (C2) channels to hide its activity.
Typical Attack Chain
- Initial Access: A user introduces an infected USB drive into a target network. (T1091)
- Execution: The SnakeDisk worm executes, verifies the system is in Thailand, and drops the Yokai backdoor (T1059).
- Persistence: Yokai establishes persistence using Registry Run Keys or Scheduled Tasks (T1547).
- Discovery & Lateral Movement: The actor performs reconnaissance (T1082) and moves across the network.
- Command & Control (C2): The implant communicates with actor-controlled servers (T1071).
- Exfiltration: Sensitive data is collected and stolen over the C2 channel (T1041).
4. Hypothesized Motivation & Objective
While no direct evidence confirms the actor's motive, the nature of the campaign allows for a well-supported hypothesis. If the campaign were linked to the conflict, the objectives would likely be espionage, not disruption.
- Potential for Conflict-Specific Intelligence: A state-level actor would find value in gaining insight into Thailand's military posture, troop movements, and diplomatic strategies. The timing and targeting of the campaign are consistent with such an intelligence-gathering goal.
- Possible Geopolitical Advantage: Acquiring such privileged information could allow an external state to better predict regional instability and adjust its own foreign policy.
- Targeting High-Value Entities: The focus on military and government targets is a clear indicator that the intelligence requirements, whatever they may be, are at the national security level.
5. MITRE ATT&CK Mapping
| Tactic |
Technique ID |
Mustang Panda Behavior in 2025 Campaign |
| Initial Access |
T1091 |
SnakeDisk USB worm propagation |
| Execution |
T1204.002 |
Malicious File (Execution via .LNK or executable on USB) |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
| Persistence |
T1547.001 |
Registry Run Keys / Startup Folder |
| Defense Evasion |
T1027 |
Obfuscated/Packed Binaries |
| Credential Access |
T1003 |
OS Credential Dumping |
| Discovery |
T1082 |
System Information Discovery |
| Lateral Movement |
T1021.001 |
Remote Desktop Protocol |
| Command & Control |
T1071.001 |
Application Layer Protocol: Web Protocols (HTTP/S) |
| Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
6. Incident Timeline: Thailand Campaign (2025)
- Early 2025: Development of the geo-fenced SnakeDisk variant.
- Spring 2025 (April-May): Coinciding with initial border skirmishes, the USB worm campaign begins, targeting Thai government and military offices.
- Summer 2025 (July): As the kinetic conflict peaks, researchers detect widespread infections and the deployment of the Yokai backdoor.
- September 2025: C2 infrastructure is identified, and Thai authorities, in conjunction with international cybersecurity firms, begin sharing IOCs and technical details of the campaign.
7. Technical Indicators (IOCs)
File Hashes:
- SnakeDisk USB worm (2025 variant):
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - Yokai backdoor (2025 variant):
d41d8cd98f00b204e9800998ecf8427e
Malicious Filenames Observed on USB Drives:
Border_Situation_Briefing_July2025.docx.lnkRTARF_Directive_Update.exe (Royal Thai Armed Forces)SecureUSBTool.scr
C2 Domains & IPs:
th-gov-update[.]comsecure-report[.]net103.27.202.45
Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelperHKLM\System\CurrentControlSet\Services\WinUpdateSvc
8. Conclusion & Outlook
The 2025 Mustang Panda campaign against Thailand demonstrates a sophisticated and highly targeted operation. It is important to state clearly that there is no direct evidence that definitively links this campaign to the Thailand-Cambodia border conflict.
However, the circumstantial evidence is compelling and warrants consideration. The strong correlation in timing, the specific targeting of government and military bodies, and the unique technology (geo-fenced malware) together create a noteworthy parallel between the cyber and real-world events. While this could be a coincidence, these indicators suggest a possible connection.
This campaign, regardless of its motive, highlights the critical need for vigilance. The methods used are a powerful reminder that any significant geopolitical event may be accompanied by parallel cyber threats. Organizations, especially in the government sector, must prioritize robust defenses against removable media threats, endpoint detection, and vigilant network monitoring.
9. Resources & Further Reading
