{ "id": "8b849bd4-6f58-4439-89ef-88031cc346b0", "created_at": "2026-04-06T00:06:25.62325Z", "updated_at": "2026-04-10T03:36:13.735713Z", "deleted_at": null, "sha1_hash": "1ebe9d9ecc5e66f264d96eb98d4d7fbc35b4b820", "title": "Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1024983, "plain_text": "Tick Group Weaponized Secure USB Drives to Target Air-Gapped\r\nCritical Systems\r\nBy Kaoru Hayashi, Mike Harbison\r\nPublished: 2018-06-22 · Archived: 2026-04-05 15:50:45 UTC\r\nSummary\r\nTick is a cyberespionage group primarily targeting organizations in Japan and the Republic of Korea. The group is\r\nknown to conduct attack campaigns with various custom malware such as Minzen, Datper, Nioupale (aka Daserf),\r\nand HomamDownloader. Unit 42 last wrote about the Tick group in July 2017.\r\nRecently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive\r\ncreated by a South Korean defense company. The USB drive and its management system have various features to\r\nfollow security guidelines in South Korea.\r\nThe weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread\r\nto air-gapped systems, which are systems that do not connect to the public internet. In addition, our research\r\nshows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or\r\nWindows Server 2003. This is despite the fact that the malware appears to have been created when newer versions\r\nof Windows software were available. This would seem to indicate an intentional targeting of older, out-of-support\r\nversions of Microsoft Windows installed on systems with no internet connectivity. Air-gapped systems are\r\ncommon practice in many countries for government, military, and defense contractors, as well as other industry\r\nverticals.\r\nWe have not identified any public reporting on this attack, and we suspect the Tick group used the malware\r\ndescribed in this report in attacks multiple years ago. Based on the data collected, we do not believe this malware\r\nis part of any active threat campaign.\r\nOur picture of this past attack is incomplete at this time. Based on our research thus far, we are able to sketch out\r\nthe following hypothesized attack scenario:\r\n1. The Tick Group somehow compromised a secure type of USB drive and loaded a malicious file onto an\r\nunknown number of them. These USB drives are supposed to be certified as secure by the South Korean\r\nITSCC (English).\r\n2. The Tick Group created a specific malware we are calling SymonLoader that somehow gets on older\r\nWindows systems and continuously looks for these specific USB drives.\r\n3. SymonLoader specifically targets Windows XP and Windows Server 2003 systems ONLY.\r\n4. If SymonLoader detects the presence of a specific type of secure USB drive, it will attempt to load the\r\nunknown malicious file using APIs that directly access the file system.\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 1 of 8\n\nIn the research below, we outline our findings around SymonLoader. We do not currently have either a\r\ncompromised USB drive nor the unknown malicious file we believe is implanted on these devices. Because of this\r\nwe are unable to describe the full attack sequence.\r\nBecause we do not have either a compromised USB drive or the unknown malicious file, we are also unable to\r\ndetermine how these USB drives have been compromised. Specifically, we do not know if there has been a\r\nsuccessful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.\r\nTick and Trojanized Legitimate Software\r\nUnit 42 hasn’t identified the initial delivery method; the overview of the infection process is shown below in\r\nFigure 1.\r\nFigure 1 Infection process\r\nFirst, the attacker tricks users with a Trojanized version of legitimate software to install the loader program, which\r\nis a new tool to Tick we’ve named “SymonLoader”.\r\nWhen executed, the loader starts monitoring storage device changes on a compromised machine. If SymonLoader\r\ndetects the targeted type of secure USB drive, it attempts to access the storage through the device driver\r\ncorresponding to the secure USB and checks for strings specific to one type of secure USB in the drive\r\ninformation fields. Then, it accesses a predefined location of the storage on the USB and extracts an unknown PE\r\nfile.\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 2 of 8\n\nAs we described in a previous blog last July, the Tick group Trojanized a legitimate program and embedded\r\nmalware called HomamDownloader. The attackers then sent the Trojanized legitimate applications as attachments\r\nto spear phishing email targets. When executed, the Trojanized legitimate application drops HomamDownloader\r\nand installs the legitimate program. Recipients may not be aware of the malware as the legitimate application\r\nworks as expected.\r\nIn our research into these latest attacks, we found additional legitimate Trojanized Korean language software since\r\npublishing out blog last year (Table 1). Similar to the previous samples we examined in July 2017, these newly\r\nTrojanized legitimate programs also drop HomamDownloader. Also like we saw in our July 2017 research,\r\nHomamDownloader can install other malicious files from the remote C2 server; in this case,\r\npre.englandprevail[.]com.\r\nTrojanized Legitimate\r\nSoftware\r\nSHA256\r\nMovie Player installer b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa\r\nIndustrial battery\r\nmonitoring software\r\n3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6\r\nStorage encryption\r\nsoftware\r\n92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78\r\nFile encryption software 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb\r\nTable 1 Trojanized Korean programs\r\nDuring our investigation, we found an interesting sample on January 21, 2018 (Table 2). Similar to the samples\r\nlisted above, this sample is a Trojanized version of a legitimate program and drops malware. In this case, the\r\nTrojanized application is a Japanese language GO game. Instead of installing HomamDownloader like we\r\nobserved in July 2017, this Trojanized program installs a new loader we’ve named SymonLoader.\r\nSymonLoader extracts a hidden executable file from a specific type of secure USB drive and executes it on the\r\ncompromised system. Unfortunately, we do not have a copy of this file.\r\nTrojanized Legitimate\r\nSoftware\r\nSHA256\r\nGO Game 8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a\r\nTable 2 Trojanized Japanese language program\r\nDespite the differences from previous samples, we believe this sample is related to the Tick group because the\r\nshellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs\r\ndescribed earlier. Also, SymonLoader shares code with HomamDownloader (Figure 2). The Tick group is known\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 3 of 8\n\nto develop and consistently update custom tools. As such, code reuse like this is consistent with their development\r\npractices.\r\nFigure 2 Sharing code between SymonLoader and HomamDownloader\r\nSecure USB\r\nSymonLoader first checks the operating system version of the target host and if it is newer than Windows XP or\r\nWindows Server 2003, it stops working. According to the timedate stamp in the PE header, the malware was\r\ncreated on 26 September 2012. Both Windows 7 and Windows Server 2008 were already released by then if the\r\ntimedate value is not modified.\r\nAfter checking the OS version, SymonLoader creates a hidden window named “device monitor” that starts\r\nmonitoring storage device changes on the compromised system. When a removable drive is connected the\r\nmalware checks the drive letter and drive type. If the drive letter is not A or B, and the drive type is not a CDROM\r\nthe malware calls CreateFile API and gets a handle to the storage device.  By excluding drives A and B (typically\r\nused for floppy drives) and CDROM drive types, it appears likely that the malware is targeting removable USB\r\ndrives.\r\nNext, the malware calls the DeviceIoControl() function with an undocumented custom control code, 0xE2000010\r\n(Figure 3). The control code consists of four different types of values; DeviceType, Function, Access, and Method.\r\nIn this case, the DeviceType value is 0xE200 computed as: (0x0E2000010 \u0026 0xffff0000)\u003e\u003e0x10.   According to\r\nMicrosoft, this specific DeviceType value should be in the range for third-party vendors. To function properly, the\r\nthird-party driver needs to be present on the compromised system before the malware calls DeviceIoControl()\r\nwith the custom control code 0xE2000010. But which third-party driver? There is a clue in the next function.\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 4 of 8\n\nFigure 3 DeviceIoControl with custom IoControlCode\r\nSymonLoader gets device information by SCSI INQUIRY command using the IOCTL_SCSI_PASS_THROUGH\r\nparameter and determines if it is the targeted drive by searching for a specific string in the Vendor or Product\r\nidentification on INQUIRY data. Our research into the string used in these searches showed a company in the\r\nSouth Korea Defense Industry whose name matched the string. This company develops information and\r\ncommunication security equipment used by military, police, government agencies and public institutions. In a\r\npress, this company announced that they make secure USB storage devices that are certified to meet security\r\nrequirements set out by South Korea’s IT Security Certification Center (ITSCC (English)). In South Korea, certain\r\norganizations are required to follow the “USB storage medium guideline\" and using only the devices passed the\r\naudit by the government agency. For example, the guideline of the Ministry of Unification of South Korea defines\r\nthe USB memory and management system introduction procedure at section 4, item 1 (Figure 4).\r\nFigure 4 USB memory introduction procedure\r\nGoogle translation from Korean to English follows.\r\n“According to ‘Guidelines for Security Management of Auxiliary Storage Media such as USB Memory’, the\r\nheadquarters security officer shall request the National Intelligence Service to verify the security compliance to\r\nintroduce USB memory.”\r\nWe found the third-party device driver in question in the installer of the secure USB drive in a public sample\r\nrepository, and confirmed it supports the custom control code, 0xE2000010. The driver provides some functions to\r\napplications, including access to the corresponding secure USB volumes. We feel this evidence shows that the\r\nmalware attempts to work only on the secure USB product made by this particular company.\r\nLoading Hidden Module\r\nIf SymonLoader finds it is on a Windows XP or Windows Server 2003 system and finds that a newly attached\r\ndevice is a USB drive made by this particular company, then it will extract an unknown executable file from the\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 5 of 8\n\nUSB. While we do not have this file, we can glean information about it by analyzing SymonLoader and the third-party driver. The attacker encrypted the unknown executable file and concealed it at the ending part of the secure\r\nUSB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile().\r\nInstead, SymonLoader uses Logical Block Addressing(LBA) and SCSI commands to read the data physically\r\nfrom the particular expected location on the removable drive.\r\nLBA is a simple linear addressing scheme. Storage is divided into blocks by fixed size, and each block has a\r\nnumber starting from zero to N-1, depends on the volume size. Applications can specify the block number and\r\naccess the data by SCSI commands.\r\nFinally, SymonLoader saves the extracted file in the temporary directory on the local disk and executes it. The\r\nprocedure is as follows:\r\n1. Obtains final Logical Block Address(LBA) of the storage “N-1” by using the READ CAPACITY (10)\r\ncommand.\r\n2. Read the third last block “N-3” by READ (10) command and decrypts it.\r\n3. From the decrypted data, gets the LBA “X” where the main module locates.\r\n4. Loads data from LBA “X” to “N-4” by READ (10) command and decrypts it.\r\n5. Saves the decrypted file as %Temp%\\[random characters].tmp and execute it.\r\n6. Writes hostname and local time of the compromised system at LBA “N-2” by SAVE (10) command.\r\nFigure 5 shows the data layout of the malicious storage from the perspective of Logical Block Addressing.\r\nFigure 5 Data layout on the malicious storage\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 6 of 8\n\nConclusion\r\nThe Tick group uses Trojanized legitimate applications to trick victims into installing first stage malware, mostly\r\nHomamDownloader. In this research, we identified a previously unknown loader malware being dropped instead\r\nof HomamDownloader, which was most likely used in attacks multiple years ago. In contrast to HomamLoader,\r\nwhich requires an Internet connection to reach its C2 server to download additional payloads, SymonLoader\r\nattempts to extract and install an unknown hidden payload from a specific type of secure USB drive when it’s\r\nplugged into a compromised system. This technique is uncommon and hardly reported among other attacks in the\r\nwild.\r\nWhile we do not have a copy of the file hidden on the secure USB, we have more than enough information to\r\ndetermine it is more than likely malicious. Weaponizing a secure USB drive is an uncommon technique and likely\r\ndone in an effort to compromise air-gapped systems, which are systems that do not connect to the public internet.\r\nSome industries or organizations are known for introducing air gapping for security reasons. In addition, outdated\r\nversions Operating Systems are often used in those environments because of no easy-update solutions without\r\ninternet connectivity. When users are not able to connect to external servers, they tend to rely on physical storage\r\ndevices, particularly USB drives, for data exchange. The SymonLoader and secure USB drive discussed in this\r\nblog may fit for this circumstance.\r\nPalo Alto Networks customers are protected from these threats in the following ways:\r\n1. All samples discussed are classified as malicious by the WildFire sandbox platform.\r\n2. All identified domains have been classified as malicious.\r\n3. AutoFocus users can track the malware described in this report using Tick campaign tag, SymonLoader\r\nand HomamDownloader malware tags.\r\n4. Customers running Traps are protected from the discussed threats.\r\nIoCs\r\nSymonLoader\r\nMalformed Legitimate software SHA256\r\n8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a\r\nSysmonLoader SHA256\r\n31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8\r\nMutex\r\nSysMonitor_3A2DCB47\r\nFile Path\r\n%ProgramFiles%\\Windows NT\\Accessories\\Microsoft\\msxml.exe\r\n%UserProfile%\\Applications\\Microsoft\\msxml.exe\r\nRegistry Entry\r\nHKLM\\Software\\Microsof\\Windows\\CurrentVersion\\run\\”xml” = %ProgramFiles%\\Windows\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 7 of 8\n\nNT\\Accessories\\Microsoft\\msxml.exe\r\nHKCU\\Software\\Microsof\\Windows\\CurrentVersion\\run\\”xml” =\r\n%UserProfile%\\Applications\\Microsoft\\msxml.exe\r\nHomamDownloader\r\nTrojanized Legitimate Software SHA256\r\nb1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa\r\n3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6\r\n92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78\r\n33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb\r\nHomamDownloader SHA256\r\n019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e\r\nee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38\r\nf817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec\r\nC2 of HomamDownloader\r\npre.englandprevail[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nhttps://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/" ], "report_names": [ "unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433985, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ebe9d9ecc5e66f264d96eb98d4d7fbc35b4b820.pdf", "text": "https://archive.orkl.eu/1ebe9d9ecc5e66f264d96eb98d4d7fbc35b4b820.txt", "img": "https://archive.orkl.eu/1ebe9d9ecc5e66f264d96eb98d4d7fbc35b4b820.jpg" } }