{
	"id": "6999f4e7-e4bc-4017-919c-9b27ac2e2e5f",
	"created_at": "2026-04-06T00:09:48.053114Z",
	"updated_at": "2026-04-10T03:31:51.402913Z",
	"deleted_at": null,
	"sha1_hash": "630435931e14de8a690048e35ced4bff6fbfd272",
	"title": "Espionage group using USB devices to hack targets in Southeast Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83768,
	"plain_text": "Espionage group using USB devices to hack targets in Southeast\r\nAsia\r\nBy Alexander Martin\r\nPublished: 2023-01-09 · Archived: 2026-04-05 23:15:23 UTC\r\nUSB devices are being used to hack targets in Southeast Asia, according to a new report by cybersecurity firm\r\nMandiant.\r\nThe use of USB devices as an initial access vector is unusual as they require some form of physical access — even\r\nif it is provided by an unwitting employee — to the target device.\r\nEarlier this year the FBI warned that cybercriminals were sending malicious USB devices to American companies\r\nvia the U.S. Postal Service with the aim of getting victims to plug them in and unwittingly compromise their\r\nnetworks.\r\nThe new campaign in Southeast Asia potentially began as far back as September 2021, according to a post on the\r\nMandiant Managed Defence blog, published on Monday. Mandiant is now a part of Google Cloud.\r\nThe hackers behind it are concentrating on targets in the Philippines. The researchers assess the group has a China\r\nnexus, although it did not formally attribute the cyber espionage operation to a specific state-sponsored group.\r\nOperations conducted by the threat actor, followed as UNC4191, “have affected a range of public and private\r\nsector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ [Asia Pacific Japan],” the\r\nresearchers said.\r\n“However, even when targeted organizations were based in other locations, the specific systems targeted by\r\nUNC4191 were also found to be physically located in the Philippines,” it added.\r\nAfter the initial infection via the USB devices, the hackers use legitimately signed binaries to side-load malware\r\nonto the target computers.\r\nMandiant has identified three new families of malware, which it calls MISTCLOAK, DARKDEW, and\r\nBLUEHAZE.\r\nThese provide a reverse shell on the victim system, giving the UNC4191 hackers backdoor access. The malware\r\nthen self-replicated by infecting any new removable drives that are plugged into the compromised computers,\r\nallowing the malware to spread to even air-gapped systems.\r\n“Given the worming nature of the malware involved, we may have detected the later stages of this malware’s\r\nproliferation,” the researchers stated.\r\nThey believe the campaign “showcases Chinese operations to gain and maintain access to public and private\r\nentities for the purposes of intelligence collection related to China’s political and commercial interests.”\r\nhttps://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia\r\nPage 1 of 3\n\nThe main targets of the operation appeared to be in the Philippines “based on the number of affected systems\r\nlocated in this country that were identified by Mandiant.”\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nhttps://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia\r\nPage 2 of 3\n\nSource: https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia\r\nhttps://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia"
	],
	"report_names": [
		"espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia"
	],
	"threat_actors": [
		{
			"id": "d61cd7ed-6d16-491f-90a1-6323aae8f67f",
			"created_at": "2022-12-27T17:02:23.610663Z",
			"updated_at": "2026-04-10T02:00:04.9586Z",
			"deleted_at": null,
			"main_name": "UNC4191",
			"aliases": [],
			"source_name": "ETDA:UNC4191",
			"tools": [
				"BLUEHAZE",
				"DARKDEW",
				"HIUPAN",
				"MISTCLOAK",
				"NCAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b0f6e3c5-5424-463a-ada3-532ca52e5940",
			"created_at": "2023-11-17T02:00:07.60381Z",
			"updated_at": "2026-04-10T02:00:03.45747Z",
			"deleted_at": null,
			"main_name": "UNC4191",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC4191",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434188,
	"ts_updated_at": 1775791911,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/630435931e14de8a690048e35ced4bff6fbfd272.pdf",
		"text": "https://archive.orkl.eu/630435931e14de8a690048e35ced4bff6fbfd272.txt",
		"img": "https://archive.orkl.eu/630435931e14de8a690048e35ced4bff6fbfd272.jpg"
	}
}