{ "id": "0cc8ac3b-d6e7-43b2-a313-fc24fec03466", "created_at": "2026-04-06T01:29:12.175564Z", "updated_at": "2026-04-10T03:35:52.925535Z", "deleted_at": null, "sha1_hash": "2f159048db296cab9486e7a29595398e82453fb0", "title": "FBI: Hackers Sending Malicious USB Drives \u0026 Teddy Bears via USPS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3042093, "plain_text": "FBI: Hackers Sending Malicious USB Drives \u0026 Teddy Bears via USPS\r\nBy Ionut Ilascu\r\nPublished: 2020-03-27 · Archived: 2026-04-06 00:55:06 UTC\r\nHackers from the FIN7 cybercriminal group have been targeting various businesses with malicious USB devices acting as a\r\nkeyboard when plugged into a computer. Injected commands download and execute a JavaScript backdoor associated with\r\nthis actor.\r\nIn a FLASH alert on Thursday, the FBI warns organizations and security professionals about this tactic adopted by FIN7 to\r\ndeliver GRIFFON malware.\r\nThe attack is a variation of the “lost USB” ruse that penetration testers have used for years in their assessments quite\r\nsuccessfully and one incident was analyzed by researchers at Trustwave.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nOne client of the cybersecurity company received a package, allegedly from Best Buy, with a loyalty reward in the form of a\r\n$50 gift card. In the envelope was a USB drive claiming to contain a list of products eligible for purchase using the gift card.\r\nThis is not a one-off incident, though.\r\nThe FBI warns that FIN7 has mailed these packages via USPS to numerous businesses (retail, restaurant, hotel industry)\r\nwhere they target employees in human resources, IT, or executive management departments. These packages sometimes\r\ninclude \"gifts\" like teddy bears or gift cards.\r\nThese USB drives are configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server\r\ncontrolled by the attacker. Then, the USB device contacts domains or IP addresses in Russia.\r\nThe days when USB flash drives were just for storage are long gone. Several development boards (Teensy, Arduino) are now\r\navailable for programming to emulate a human interface device (HID) such as keyboards and mice and launch a pre-configured set of keystrokes to drop malicious payloads. These are called HID or USB drive-by attacks are easy to pull and\r\ndon't cost much.\r\nTrustwave analyzed this malicious USB activity and noticed two PowerShell commands that lead to showing a fake error for\r\nthe thumb drive and ultimately to running third-stage JavaScript that can collect system information and downloading other\r\nmalware.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nPage 3 of 6\n\nTo better summarize the attack flow, the researchers created the image below, which clarifies the stages of the compromise\r\nthat lead to deploying malware of the attacker’s choice.\r\nThe alert from the FBI informs that after the reconnaissance phase the threat actor starts to move laterally seeking\r\nadministrative privileges.\r\nFIN7’s uses multiple tools to achieve their goal; the list includes Metasploit, Cobalt Strike, PowerShell scripts, Carbanak\r\nmalware, Griffon backdoor, Boostwrite malware dropper, and RdfSniffer module with remote access capabilities.\r\nBadUSB attacks, demonstrated by security researcher Karsten Nohl in 2014, are now common in penetration testing and\r\nmultiple alternatives exist these days. The more versatile ones sell for $100.\r\nFIN7 went with a simple and cheap version, though, that costs between $5-$14, depending on the supplier and the shipping\r\ncountry. The FBI notes in its alert that the microcontroller is an ATMEGA24U, while the one seen by Trustwave had\r\nATMEGA32U4.\r\nHowever, both variants had “HW-374” printed on the circuit board and are identified as an Arduino Leonardo, which is\r\nspecifically programmed to act as a keyboard/mouse out of the box. Customizing the keystrokes and mouse movements is\r\npossible using the the Arduino IDE.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nPage 4 of 6\n\nConnecting unknown USB devices to a workstation is a well-known security risk but it is still disregarded by many users.\r\nOrganizations can take precautions against attacks via malicious USB drives by allowing only vetted devices based on their\r\nhardware ID and denying all others.\r\nFurthermore, updating PowerShell and enabling logging (the larger the log size, the better) can help determining the attack\r\nvector and the steps leading to compromise.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/" ], "report_names": [ "fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438952, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f159048db296cab9486e7a29595398e82453fb0.pdf", "text": "https://archive.orkl.eu/2f159048db296cab9486e7a29595398e82453fb0.txt", "img": "https://archive.orkl.eu/2f159048db296cab9486e7a29595398e82453fb0.jpg" } }