According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast Asia. The threat actor behind this activity, referred to as UNC4191 is targeting public and private entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines. 

This new campaign began as far back as September 2021, according to Mandiant’s report. The researchers assess that this operation is being conducted as a cyberespionage operation related to China’s political and commercial interests. 

Google-owned Mandiant states that their observations suggest the Philippines is the main target of this operation, due to the number of affected systems located in the country. They also added that, even when the targeted organizations were based in other locations, the specific systems targeted were found to be physically located in the Philippines.

After the initial infection via Universal Serial Bus drives, the hackers then deployed legitimately-signed binaries while side-loading malware. The malware families used in the cyberespionage have been identified by Mandiant as Mistcloak Launcher, Darkdew Dropper, and Bluehaze Launcher.

Mandiant splits the overall infection cycle from the UNC4191 campaign into three distinct phases. 

Mistcloak is the first malware to be side-loaded because the execution of a version of the USB Network Gate application is triggered as soon as an infected USB is plugged into the machine. 

This piece of malware loads an INI file containing Darkdew, which is designed to achieve persistence and infect USB drives when they are connected to the system. 

Bluehaze, which is executed at the third phase of the infection chain, was designed to execute a renamed NCAT executable, which creates a reverse shell to a hardcoded command-and-control (C&C) server.

Chinese Cyberspies Conduct Espionage Using USB Devices That Spread Malware
UNC4191 malware infection cycle (Image: Mandiant)

In their blog post, Mandiant researchers noted that these viruses are known to provide a reverse shell on the victim’s system, giving the UNC4191 hackers backdoor access. The malware then self-replicates by infecting any new removable devices plugged into the compromised systems. Due to this, the malware is even able to spread through air-gapped systems.

“Mandiant has not observed evidence of reverse shell interaction; however, based on the age of the activity, this may be a result of visibility gaps or short log retention periods.”


  1. Schneider Electric Shipped USB Drives Loaded with Malware
  2. VictoryGate cryptominer infected 35,000 devices via USB drives
  3. New malware tool can steal files from airgapped PCs using USBs
  4. Hackers sending malware infected USBs with Best Buy Gift Cards
  5. China’s insidious surveillance against Uyghurs with Android malware


Source link