ToneDisk
ToneDisk is a USB worm associated with the China-linked Mustang Panda / HoneyMyte threat cluster and is described as part of the TONESHELL malware family. It is also referred to as WispRider in the provided content. Reporting cited in the content places ToneDisk on systems compromised in long-running cyber-espionage operations, where it appeared alongside other HoneyMyte tooling including ToneShell and PlugX. Multiple sources in the content state that nearly all affected victims had prior infections involving ToneDisk, indicating it has been used across multiple intrusion waves for persistence or follow-on access.
The malware is explicitly described as a USB worm and removable-media propagation tool. The content states that, as of September 2025, Mustang Panda used TONEDISK/WispRider in attacks targeting Thai entities, and that it uses removable devices as a distribution vector for a backdoor called Yokai. ToneDisk is also referenced as an additional payload dropped by TONESHELL. Victimology mentioned in the content centers on government and other entities in Southeast and East Asia, especially Thailand and Myanmar, within broader Mustang Panda espionage campaigns.
High-confidence associations from the content tie ToneDisk to Mustang Panda, also known as HoneyMyte, Hive0154, Bronze President, Camaro Dragon, RedDelta, Earth Preta, Polaris, and Twill Typhoon. The content does not provide standalone file hashes or other direct IoCs for ToneDisk itself, but it consistently identifies it as a USB worm used in conjunction with HoneyMyte operations and, in some reporting, under the alias WispRider.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
most victims were already infected with older HoneyMyte tools like the ToneDisk USB worm or PlugX.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
USB-propagating worm referenced as an additional payload dropped in the described campaigns; specific behavior beyond being a USB worm is not detailed.
A USB-propagated worm used in targeted attacks by APT groups.
A USB worm associated with Chinese APT operations, used for spreading malware and maintaining persistence in targeted environments.
A USB-propagating worm mentioned as an associated tool present on compromised hosts in the same intrusion set.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.