For many security professionals, the phrase USB wormA type of malware that spreads by copying itself onto USB removable drives to infect multiple systems. sounds like a relic from another era. The early 2000s were filled with stories of malware spreading through removable media, infecting corporate networks and government systems one flash drive at a time. Yet a newly disclosed cyberespionage campaign targeting a Southeast Asian government organization proves that the USB attack vector remains very much alive in 2026.
Researchers from Unit 42 uncovered a sophisticated operation that ran between June and August of 2025. The campaign involved multiple China-aligned threat groups working simultaneously inside the same government environment, each deploying its own collection of malware, remote access tools, and information stealers. Despite using different techniques and infrastructure, all three groups shared a common objective: maintaining long-term access to sensitive government systems.
Among the various tools used in the operation, one component stands out to anyone familiar with removable media security. The threat actor known as Stately Taurus deployed a USB-propagated worm called USBFect, also identified as HIUPAN. Its job was simple and highly effective: copy itself onto connected removable drives and wait for those drives to be connected to another system.
This method may seem unsophisticated compared to modern ransomware or AI-powered attacks, but that simplicity is exactly why it continues to work. Organizations frequently restrict internet connectivity, block email attachments, and deploy advanced endpoint security tools. Yet many still rely on USB devices to move files between systems, departments, or secure environments. As long as removable media remains part of normal business operations, it remains a viable attack path.
For readers interested in the evolution of write-protection technologies, we previously reviewed how a USB flash drive can be designed so it cannot get a virus. That discussion becomes especially relevant when examining malware designed specifically to replicate through removable media.
According to the report, USBFectA USB-propagated worm malware that spreads by copying itself onto removable drives to infect multiple systems. continuously monitors a system for newly connected removable drives. Once detected, the malware copies its components onto the device so the infection can travel to the next computer. The worm hides within directories designed to resemble legitimate Windows and Intel system folders, making casual inspection unlikely to reveal anything suspicious.
The campaign did not stop with simple propagation. Once access was established, additional malware components delivered remote access capabilities, keylogging functions, clipboard monitoring, file collection, and data exfiltration tools. One information stealer known as TrackBak disguised itself as a Microsoft Edge log file while quietly collecting user activity and sensitive information from compromised systems.
What makes this campaign particularly notable is that three separate threat clusters were observed operating simultaneously against the same target organization. Researchers identified links to previously known espionage groups including Earth Estries, Crimson Palace, and Unfading Sea Haze. While the exact level of coordination remains unclear, the overlap suggests a highly organized intelligence-gathering effort focused on a single government victim.
The report also serves as a reminder that USB devices themselves are not the vulnerability. Rather, the vulnerability lies in the ability of malware to use removable storage as a transportation mechanism between systems. The USB drive is simply the vehicle. Once malware gains the ability to write itself onto a device, that device can become an unwitting carrier for the next infection.
This distinction is important because many discussions about USB security focus on banning removable media altogether. In reality, many government agencies, healthcare providers, manufacturing facilities, and industrial operators continue to depend on USB storage for legitimate business functions. Eliminating USB is often impractical. Managing how USB devices are used is usually the more realistic approach.
The researchers recommend disabling AutoRunA Windows feature that automatically executes specified programs or scripts when removable media is connected., enforcing stricter USB policies, and monitoring for suspicious DLL activity and in-memory execution techniques. These remain sound recommendations. However, the broader lesson may be even simpler: attackers continue to succeed with methods that have existed for decades because the underlying conditions that make those attacks possible still exist.
Twenty years after the first major USB worms captured headlines, the formula remains remarkably unchanged. Find a writable USB device, copy the payload, and wait for the next connection. The technology has evolved, the malware has become more sophisticated, but the attack path remains the same.
For organizations that continue to rely on removable media, this latest campaign is a reminder that controlling what can be written to a USB device may be just as important as controlling what can be read from it.
Source: Cyber Security News / Unit 42
Reddit discussion about USB security
Editorial & Technical Review Policy
This article was researched and written by the GetUSB.info editorial team based on publicly available reporting from cybersecurity researchers and industry sources. GetUSB.info has covered USB technology, removable media, flash storage, and USB security developments since 2004. Our analysis focuses on the technical mechanisms involved in USB-based attacks, storage devices, and data transport technologies.
Where possible, original research sources and security reports are reviewed to verify technical claims before publication. Readers should understand that cybersecurity investigations may evolve as additional information becomes available. Organizations should consult qualified security professionals when evaluating USB security policies, malware mitigation strategies, or data protection requirements.
GetUSB.info maintains editorial independence and strives to provide factual reporting, technical context, and educational analysis for IT professionals, engineers, and technology enthusiasts.
Let GetUSB.info keep you updated.
Receive article notifications about USB storage, flash memory, and duplication updates in your preferred language. We average a couple of articles per week.
