Thursday, April 17, 2025
Homecyber securityBeware that Hackers Using Malicious USB Devices to Deliver Multiple Malware

Beware that Hackers Using Malicious USB Devices to Deliver Multiple Malware

Published on

SIEM as a Service

Follow Us on Google News

Recently, Mandiant Managed Defense discovered cyber espionage activity that focuses on the Philippines and mainly uses USB drives as an initial infection vector. This operation, which Mandiant tracks as ‘UNC4191’, has a connection to China.

The report states that operations of UNC4191 have had an impact on a variety of public and private sector organizations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, but mainly focuses on the Philippines.

Malicious USB Devices to Deliver Multiple Malware

After becoming infected initially through USB devices, the threat actor used legally signed binaries to side-load malware, including three new families of viruses called MISTCLOAK, DARKDEW, and BLUEHAZE.

- Advertisement - Google News

“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor”, reports Mandiant Managed Defense

Notably, the malware spreads itself by infecting new removable drives connected to a compromised system, enabling the malicious payloads to spread to adjacent systems and potentially gather data from air-gapped systems.

UNC4191 Malware Families

Mandiant identified UNC4191 deploy the following malware families: ‘MISTCLOAK’ is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.

‘BLUEHAZE’ is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).

‘NCAT’ is a command-line networking utility used for legitimate purposes; threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.

Malware Infection Cycle

Final Word

This operation indicates Chinese attempts to gain and keep access to both public and private enterprises with the aim of gathering information relevant to China’s political and economic objectives.

Based on the findings and the number of compromised systems indicated by Mandiant, the primary target of this operation is the Philippines.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...

Microsoft Vulnerabilities Reach Record High with Over 1,300 Reported in 2024

The 12th Edition of the Microsoft Vulnerabilities Report has revealed a significant surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...