{ "id": "9660a382-7bef-4560-b352-bdac50b7b0c4", "created_at": "2026-04-06T00:12:34.298378Z", "updated_at": "2026-04-10T03:35:53.062528Z", "deleted_at": null, "sha1_hash": "db20ed2a2e346b0a88190bee8a07d123d02a41aa", "title": "Rare BadUSB attack detected in the wild against US hospitality provider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 592283, "plain_text": "Rare BadUSB attack detected in the wild against US hospitality\r\nprovider\r\nBy Written by Catalin Cimpanu, ContributorContributor March 26, 2020 at 6:00 a.m. PT\r\nArchived: 2026-04-05 14:36:52 UTC\r\nA US hospitality provider has recently been the target of an incredibly rare BadUSB attack, ZDNet has learned\r\nfrom cyber-security firm Trustwave.\r\nThe attack happened after the company received an envelope containing a fake BestBuy gift card, along with a\r\nUSB thumb drive.\r\nThe receiving company was told to plug the USB thumb drive into a computer to access a list of items the gift\r\ncard could be used for.\r\nhttps://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/\r\nPage 1 of 3\n\nImage: Trustwave\r\nBut in reality, the USB thumb drive was what security experts call a \"BadUSB\" -- a USB thumb drive that actually\r\nfunctions as a keyboard when connected to a computer, where it emulates keypresses to launch various automated\r\nattacks.\r\nTrustwave, who couldn't reveal the target company's name for confidentiality reasons, said the victim recognized\r\nthe attempted hack and called it in to investigate the incident.\r\nIn a report published today and shared with ZDNet, Trustwave said that once they plugged the BadUSB into a test\r\nworkstation, the BadUSB triggered a series of automated keypresses that launched a PowerShell command.\r\nhttps://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/\r\nPage 2 of 3\n\nThis Powershell command downloaded a bulkier PowerShell script from an internet site and then installed\r\nmalware on the test machine -- a JScript-based bot.\r\nbadusb-attack.png\r\nImage: Trustwave\r\n\"At the time of the analysis, we did not found a similar strain of malware,\" Phil Hay, Senior Research Manager at\r\nTrustwave, told ZDNet in an email yesterday.\r\n\"The malware is unknown to us. It is also hard to say if it is custom-built, but it probably is, because it is not wide\r\nspread and seems to be targeted,\" Hay added.\r\nHowever, the Trustwave researcher also told us that since their initial analysis, a file similar to the malware they\r\nanalyzed was later uploaded on VirusTotal, a web-based file scanning engine. Per subsequent analysis from\r\nFacebook and Kaspersky researchers, the file is believed to be the work of a hacking group known as FIN7.\r\nIt is unclear who uploaded this file, or if it comes from another cyber-security vendor also investigating a BadUSB\r\nattack at another victim.\r\nBut the lesson here is that someone actually detected a BadUSB attack in the real world. BadUSB attacks were\r\nfirst detailed at the start of the 2010s, and for many years they represented a theoretical attack scenario, something\r\nthat employees are often warned about, but which has rarely been seen in the wild.\r\n\"These sorts of [BadUSB] attacks are often simulated in penetration testing and used during red teaming\r\nexercises,\" Hay told ZDNet. \"Seeing these types of attacks in the real world is much more rare.\"\r\nAn FBI spokesperson told ZDNet that any users or companies who receive malware-laced USBs should report the\r\nincident to their local FBI office for further investigations.\r\nLast known attack happened two years ago in Eastern Europe\r\nThe last known case of a BadUSB attack -- also known as a Bash Bunny attack -- was detailed in December 2018\r\nby Russian cyber-security firm Kaspersky.\r\nAt the time, the company said it found BadUSB devices, along with cheap laptops and Raspberry Pi boards, on\r\nlocation at eight banks in Eastern Europe. The banks called Kaspersky to investigate a series of mysterious cyber-heists during which hackers stole tens of millions of dollars.\r\nSecurity\r\nSource: https://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/\r\nhttps://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider/" ], "report_names": [ "rare-badusb-attack-detected-in-the-wild-against-us-hospitality-provider" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434354, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db20ed2a2e346b0a88190bee8a07d123d02a41aa.pdf", "text": "https://archive.orkl.eu/db20ed2a2e346b0a88190bee8a07d123d02a41aa.txt", "img": "https://archive.orkl.eu/db20ed2a2e346b0a88190bee8a07d123d02a41aa.jpg" } }