A new cyberespionage campaign wherein USB devices were used to drop three new malware, has come to the notice of researchers. The campaign is the work of a China-based threat actor tracked as UNC4191.

What happened?

Discovered by researchers from Mandiant Managed Defense, the espionage campaign launched by UNC4191 primarily concentrates on targets in the Philippines. 
  • The threat actor is known for targeting a wide range of public and private sector entities in Southeast Asia, the U.S., Europe, and Asia-Pacific. 
  • Following the initial access on systems via USB devices, the threat actor leverages signed binaries to drop three malware named MISTCLOAK, DARKDEW, and BLUEHAZE.
  • Researchers believe that the ultimate goal of the campaign is to gain and maintain access to targeted systems and collect intelligence related to China’s political and commercial interests.

About the new malware

The overall infection chain process is split into three phases, in which MISTCLOAK is delivered in the first phase, DARKDEW in the second phase, and BLUEHAZE in the third phase. 
  • MISTCLOAK is a launcher written in C++ and is capable of executing payloads stored in a file on disk.
  • BLUEHAZE is written in C/C++ and launched a copy of NCAT to create a reverse shell to a hardcoded C2. 
  • DARKDEW is a malware dropper written in C++ that is capable of infecting removable drives. 
  • Based on the observations such as PE compile timestamps for the malware, researchers conclude that the campaign extends back to September 2021.

USB-borne malware remains a real threat 

The threat of USB-borne malware against organizations continues to be a serious concern. 
  • Earlier this year, the FBI warned that cybercriminals were sending malicious USB devices to American companies via the U.S. Postal Service with the aim of getting victims to plug in and unwittingly install ransomware on systems. 
  • Moreover, a report from Honeywell highlighted that 81% of the malware attacks launched against industrial facilities last year were distributed via USB drives.


USB-borne malware attacks can bypass the air-gapped security that organizations often use for protection.  To stay protected, enterprises are recommended to establish a clear USB security policy and improve the security of digital content, files, and documents. By applying security patches and protecting the endpoints, organizations can thwart these attacks at an early stage.
Cyware Publisher