Categories: cyber securityMalware

Beware that Hackers Using Malicious USB Devices to Deliver Multiple Malware

Hackers Using Malicious USB DevicesHackers Using Malicious USB Devices

Recently, Mandiant Managed Defense discovered cyber espionage activity that focuses on the Philippines and mainly uses USB drives as an initial infection vector. This operation, which Mandiant tracks as ‘UNC4191’, has a connection to China.

The report states that operations of UNC4191 have had an impact on a variety of public and private sector organizations, primarily in Southeast Asia and extending to the U.S., Europe, and APJ, but mainly focuses on the Philippines.

Malicious USB Devices to Deliver Multiple Malware

After becoming infected initially through USB devices, the threat actor used legally signed binaries to side-load malware, including three new families of viruses called MISTCLOAK, DARKDEW, and BLUEHAZE.

“Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor”, reports Mandiant Managed Defense

Notably, the malware spreads itself by infecting new removable drives connected to a compromised system, enabling the malicious payloads to spread to adjacent systems and potentially gather data from air-gapped systems.

UNC4191 Malware Families

Mandiant identified UNC4191 deploy the following malware families: ‘MISTCLOAK’ is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.

‘BLUEHAZE’ is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).

‘NCAT’ is a command-line networking utility used for legitimate purposes; threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.

Malware Infection Cycle

Final Word

This operation indicates Chinese attempts to gain and keep access to both public and private enterprises with the aim of gathering information relevant to China’s political and economic objectives.

Based on the findings and the number of compromised systems indicated by Mandiant, the primary target of this operation is the Philippines.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: Cyber AttackMalwareUSB Devices
2 years ago

Recent Posts

SOC Alert Fatigue Hits Peak Levels As Teams Battle Notification Overload

Security Operations Centers (SOCs) are facing a mounting crisis: alert fatigue. As cyber threats multiply…

16 minutes ago

Chinese UNC5174 Group Expands Arsenal with New Open Source Tool and C2 Infrastructure

The Sysdig Threat Research Team (TRT) has revealed a significant evolution in the offensive capabilities…

17 minutes ago

“Living-off-the-Land Techniques” How Malware Families Evade Detection

Living-off-the-Land (LOTL) attacks have become a cornerstone of modern cyber threats, allowing malware to evade…

21 minutes ago

Malicious Macros Return in Sophisticated Phishing Campaigns

The cybersecurity landscape of 2025 is witnessing a troubling resurgence of malicious macros in phishing…

29 minutes ago

Hackers Exploit Node.js to Spread Malware and Exfiltrate Data

Threat actors are increasingly targeting Node.js—a staple tool for modern web developers—to launch sophisticated malware…

1 hour ago

Oracle Issues Patch for 378 Vulnerabilities in Major Security Rollout

Oracle Corporation has released a sweeping Critical Patch Update (CPU) for April 2025, addressing a…

1 hour ago