{ "id": "6f03d793-041f-430c-aa86-b30812ef7334", "created_at": "2026-04-06T00:15:26.975982Z", "updated_at": "2026-04-10T03:36:33.443352Z", "deleted_at": null, "sha1_hash": "f73a585ed57ec751f62a282541cafe4aa59e70c1", "title": "The Spies Who Loved You: Infected USB Drives to Steal Secrets | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1364970, "plain_text": "The Spies Who Loved You: Infected USB Drives to Steal Secrets |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2023-07-11 · Archived: 2026-04-05 17:51:03 UTC\r\nWritten by: Rommel Joven, Ng Choon Kiat\r\nIn the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks\r\nusing infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the\r\nincidents could be attributed to several active USB-based operation campaigns affecting both the public and\r\nprivate sectors globally.\r\nPreviously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and\r\nconcentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage\r\ncampaigns that have been observed by Managed Defense:\r\nSOGU Malware Infection via USB Flash Drives Across Industries and Geographies\r\nThis is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most\r\naggressive cyber espionage campaigns targeting both public and private sector organizations globally\r\nacross industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information\r\nfrom a host.\r\nMandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely\r\nconducted these attacks to collect information in support of Chinese national security and economic\r\ninterests. These operations pose a risk to a variety of industries, including construction and engineering,\r\nbusiness services, government, health, transportation, and retail in Europe, Asia, and the United States.\r\nSNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia\r\nThis campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is\r\nloaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system\r\ncommands. It also spreads to other USB flash drives and propagates throughout the network.\r\nMandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in\r\nAsia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows\r\nCommand Prompt, use removable media devices, create local staging directories, and modify the Windows\r\nregistry.\r\nSOGU Malware Infection via USB Flash Drives Across Industries and\r\nGeographies\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 1 of 15\n\nManaged Defense first observed this campaign while hunting for suspicious file write events in common\r\ndirectories that threat actors use for their malware, tools, or utilities.\r\nFigure 1: Geographic distribution of TEMP.HEX victims\r\nFigure 2: Managed Defense investigation breakdown by industry\r\nThe Initial Infection\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 2 of 15\n\nAn infected USB flash drive is the initial infection vector. The flash drive contains multiple malicious software\r\nthat is designed to load a malicious payload in memory through DLL hijacking.\r\nEstablished Foothold\r\nThe entire infection chain usually consists of three files: a legitimate executable, a malicious DLL loader, and an\r\nencrypted payload. Table 1 shows the commonly observed malware file paths and file names observed throughout\r\nthe campaign.\r\nFile Path Benign Executable Malicious DLL Loader Encrypted Payload\r\n:\\RECYCLER.BIN\\1\\ CEFHelper.exe  wsc.dll avastauth.dat\r\n:\\RECYCLERS.BIN\\ Smadav.exe smadhook32c.dll smadavupdate.dat\r\n:\\RECYCLERS.BIN\\ AdobeUpdate.exe hex.dll adobeupdate.dat\r\nTable 1: The legitimate executables commonly observed were security software, such as Avast, Smadav, or\r\nSymantec. The working directory is usually either in RECYCLER.BIN or RECYCELRS.BIN\r\nWhen the legitimate executable is run, it will side-load a malicious DLL file, which we tracked as KORPLUG.\r\nThe KORPLUG malware will then load a decrypted shellcode, commonly observed in the form of a .dat file, and\r\nexecute it in memory. The shellcode is commonly observed as a backdoor that Mandiant tracked as SOGU, a\r\nbackdoor written in C.\r\nReconnaissance and Data Staging\r\nThe infection continues by dropping a batch file onto the RECYCLE.BIN file path. The batch file runs host\r\nreconnaissance commands and outputs the results to a file named c3lzLmluZm8. When decoded from Base64, the\r\nfile name c3lzLmluZm8 is “sys.info”. The following commands to gather specific system metadata are executed:\r\ntasklist /v \r\narp -a \r\nnetstat -ano \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 3 of 15\n\nipconfig /all \r\nsysteminfo\r\nSubsequently, the malware searches the C drive for files with the following extensions: .doc, .docx, .ppt, .pptx,\r\n.xls, .xlsx, and .pdf. It encrypts a copy of each file, encodes the original filenames using Base64, and drops the\r\nencrypted files in the following directories:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Intel\\\u003cSOGU CLSID\u003e\\\u003cfilename in Base64\u003e\r\n\u003cdrive\u003e:\\RECYCLER.BIN\\\u003cSOGU CLSID\u003e\\\u003cfilename in Base64\u003e\r\nMaintain Presence\r\nTo maintain its persistence on the system, the malware creates a directory that masquerades as a legitimate\r\nprogram and sets the directory's attribute to hidden. It then copies its main components to this directory, with the\r\nfollowing commonly used file paths:\r\nC:\\ProgramData\\AvastSvcpCP\r\nC:\\ProgramData\\AAM UpdatesHtA\r\nC:\\ProgramData\\AcroRd32cWP\r\nC:\\ProgramData\\Smadav\\SmadavNSK\r\nThen, it creates a Run registry key with the same name as the directory created earlier. The Run registry keys are\r\nused to run programs automatically when a user logs on. The following are the commonly observed Run registry\r\nkey entries.\r\nValue: AvastSvcpCP \r\nText: C:\\ProgramData\\AvastSvcpCP\\AvastSvc.exe\r\nValue: AAM UpdatesHtA \r\nText: C:\\ProgramData\\AAM UpdatesHtA\\AAM Updates.exe\r\nValue: AcroRd32cWP\r\nText: C:\\ProgramData\\AcroRd32cWP\\AcroRd32.exe\r\nValue: SmadavNSK\r\nText: C:\\ProgramData\\Smadav\\SmadavNSK\\Smadav.exe\r\nIn some SOGU variants, an additional scheduled task may be created to run the malware every 10 minutes to\r\nmaintain persistence.\r\nSCHTASKS.exe /create /sc minute /mo 10 /tn \"Autodesk plugin\" /tr\r\n\"\"\"\"C:\\ProgramData\\Smadav\\SmadavNSK\\Smadav.exe\"\"\" 644\" /f\r\nComplete Mission\r\nAt the last stage of the attack lifecycle, the malware will exfiltrate any data that has been staged. The malware\r\nmay include HTTP, HTTPS, a custom binary protocol over TCP or UDP, and ICMP to communicate with its\r\ncommand and control server. The malware was also found to support a wide range of commands, including file\r\ntransfer, file execution, remote desktop, screenshot capture, reverse shell, and keylogging.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 4 of 15\n\nThe malware can also copy onto new removable drives plugged into an infected system. This allows the malicious\r\npayloads to spread to other systems and potentially collect data from air-gapped systems.\r\nMandiant tracks this event as Campaign 22-054.\r\nSNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas\r\nOrganizations in Asia\r\nManaged Defense first observed this campaign while hunting Windows Explorer process execution with a\r\nsuspicious folder path (e.g., “F:\\”) specified on the command line. This behavior is commonly observed when a\r\nuser is tricked into executing malware on USB drives. While this type of threat is not uncommon, Mandiant's\r\nrelentless research and pursuit of every attack led to the discovery of yet another espionage campaign that uses\r\nUSB drives to spread malware.\r\nThe Initial Infection\r\nAn infected USB flash drive is the initial infection vector. The victim is lured to click on a malicious file that is\r\nmasquerading as a legitimate executable. Upon executing the malicious file, it triggers a chain of malicious\r\nexecutions, each designed to perform its specific task throughout the attacker's lifecycle.\r\nEstablished Foothold\r\nThe infection chain typically starts with an executable that serves as a dropper. The dropper is responsible for\r\nwriting malicious files to disk and launching them. In one instance, a dropper named USB Drive.exe wrote the\r\nfollowing encrypted files to C:\\Users\\Public\\SymantecsThorvices\\Data:\r\naweu23jj46jm7dc \r\nbjca3a0e2sfbs \r\nasdigasur3ase \r\nsf33kasliaeae \r\nsf24acvywsake\r\nThe encrypted files contain executables and DLLs that are extracted and written in the directory\r\nC:\\Users\\Public\\SymantecsThorvices\\Bin.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 5 of 15\n\nThese files can be broken down into four components, each consisting of a legitimate executable and a malicious\r\nDLL that is loaded via DLL search order hijacking. As shown in Figure 5, each component is responsible for a\r\ntask within the attack lifecycle.\r\nFigure 5: Components and the execution chain of this campaign\r\nFilename Purpose\r\nGUP.exe Legitimate WinGup for Notepad++\r\nSilverlight.Configuration.exe Legitimate Microsoft Silverlight\r\nspoololk.exe Legitimate VentaFax Software\r\nCUZ.exe Legitimate CAM UnZip Software\r\nVNTFXF32.dll A malicious DLL loaded by spoololk.exe to create registry persistence.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 6 of 15\n\ncoreclr.dll\r\nA malicious DLL loaded by Silverlight.Configuration.exe. This malware\r\nwill \r\nDrop and execute a shellcode-based backdoor. \r\nDrop and execute a malicious utility that configures the host to evade\r\ndetection.\r\nInfect other attached USB flash drives.\r\nlibcurl.dll\r\nA malicious DLL loaded by GUP.exe. It is an evasion utility that sets registry\r\nvalues to show hidden files, hide file extensions, and hide files that are\r\nmarked \"system\" and \"hidden\".\r\nZIPDLL.dll\r\nZIPDLL.dll is a memory-only dropper that injects a shellcode-based\r\nbackdoor named SNOWYDRIVE into CUZ.exe.\r\nTable 2: Malware components\r\nCommand and Control\r\nThe shellcode-based backdoor named SNOWYDRIVE generates a unique identifier based on the system name,\r\nusername, and volume serial number. This identifier serves as a unique ID when communicating to its command\r\nand control (C2) server. The C2 domain is usually found hard-coded in the shellcode.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 7 of 15\n\nFigure 6: Hard-coded domain observed in a SNOWYDRIVE variant\r\n The backdoor supports the following commands:\r\nCommand ID Description\r\n0x2 Sleep\r\n0x3, 0x4 Terminate reverse shell, exit\r\n0x5 Create file\r\n0x6 Write file or delete file \r\n0x7 Initiate file upload \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 8 of 15\n\n0x8 Continue file upload \r\n0x9 Create cmd.exe reverse shell \r\n0xA Execute reverse shell command \r\n0xB Retrieve reverse shell command output\r\n0xC List logical drives \r\n0xD Start file/directory search \r\n0xE Continue file/directory search \r\nTable 3: SNOWYDRIVE supported commands\r\nMaintain Presence\r\nThe registry value HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ushsguaei1hgba is used for\r\npersistence. It stores the path of Silverlight.Configuration.exe.\r\nLateral Movement\r\nThe malware copies itself to removable drives that are plugged into an infected system. It creates the folder\r\n“\u003cdrive_root\u003e\\Kaspersky\\Usb Drive\\3.0” on the removable drive and copies the encrypted files that contain the\r\nmalicious components. An executable is extracted from the file “aweu23jj46jm7dc” and written to \u003cdrive_root\u003e\\\r\n\u003cvolume_name\u003e .exe, which is responsible for extracting and executing the content of  the encrypted files.\r\nOutlook and Implications\r\nMandiant's investigation and research identified local print shops and hotels as potential hotspots for infection.\r\nWhile some threat actors targeted specific industries or regions, Campaign 22-054 appears to be more\r\nopportunistic in nature. This campaign may be part of a long-term collection objective or a later-stage follow-up\r\nfor subjects of interest to state-sponsored threat actors.\r\nOrganizations should prioritize implementing restrictions on access to external devices such as USB drives. If this\r\nis not possible, they should at least scan these devices for malicious files or code before connecting them to their\r\ninternal networks.\r\nYARA Rules\r\nSOGU\r\nSOGU is a backdoor written in C. The network protocol varies between samples and may include HTTP, HTTPS,\r\na custom binary protocol over TCP or UDP, and ICMP. Supported commands include file transfer, file execution,\r\nremote desktop, screenshot capture, reverse shell, and keylogging.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 9 of 15\n\nrule M_Code_SOGU\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for SOGU\"\r\n sha256 = \"8088b1b1fabd07798934ed3349edc468062b166d5413e59e78216e69e7ba58ab\"\r\n strings:\r\n $sb1 = { 8B [2] C7 ?? 01 03 19 20 8B [2] C7 ?? 04 01 10 00 00 8B [2] C7 ?? 08 00 00 00 00 8B [2] C7 ?? 0\r\n $sb2 = { 8B ?? 0C C7 ?? 01 03 19 20 8B ?? 0C C7 ?? 04 00 10 00 00 6A 40 E8 [4] 83 C4 04 8B ?? 0C 89 ?? 0\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B)\r\n}\r\nFROZENHILL\r\nFROZENHILL is a launcher written in C++ that is configured to utilize existing files for execution and also\r\ninfects newly attached storage volumes with additional malware.\r\nrule M_Code_FROZENHILL\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for FROZENHILL\"\r\n sha256 = \"89558b4190abcdc1a2353eda591901df3bb8856758f366291df85c5345837448\"\r\n strings:\r\n $str1 = \"path_symantec\" ascii\r\n $str2 = \"symantec_dir\" ascii\r\n $str3 = \"name_svchost\" ascii\r\n $str4 = \"run_cmd\" ascii\r\n $str5 = \"usb_dll_name\" ascii\r\n $str6 = \"name_mutex\" ascii\r\n $str7 = \"cmd /c \\\"%s\\\" %d\" wide\r\n $str8 = { 8B 85 [4] 83 ?? 01 89 85 [4] 8B 85 [4] 3B 45 0C 74 ?? 8B 45 ?? 03 85 [4] 0F B6 08 33 8D [4] 81\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}\r\nZIPZAG\r\nZIPZAG is an in-memory dropper written in C++ that is configured to overwrite portions of the loading process\r\nwith shellcode and transfer execution back to the process for execution.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 10 of 15\n\nrule M_Code_ZIPZAG\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for ZIPZAG\"\r\n sha256 = \"8a968a91c78916a0bb32955cbedc71a79b06a21789cab8b05a037c8f2105e0aa\"\r\n strings:\r\n $str1 = { C6 45 ?? 55 C6 45 ?? 8B C6 45 ?? EC C6 45 ?? 81 C6 45 ?? EC C6 45 ?? 08 C6 45 ?? 01 C6 45 ?? 0\r\n $str2 = \"shellcode_size\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}\r\nSNOWYDRIVE\r\nSNOWYDRIVE is a shellcode-based backdoor that communicates via a custom binary protocol over TCP.\r\nSupported commands include reverse shell creation, file transfer, file deletion, and disk enumeration.\r\nrule M_Code_SNOWYDRIVE\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for SNOWYDRIVE\"\r\n sha256 = \"964c380bc6ffe313e548336c9dfaabbd01a5519e8635adde42eedb7e1187c0b3\"\r\n strings:\r\n $str1 = { C6 45 ?? 6B C6 45 ?? 65 C6 45 ?? 72 C6 45 ?? 6E C6 45 ?? 65 C6 45 ?? 6C C6 45 ?? 33 C6 45 ?? 3\r\n $str2 = { C6 45 ?? 47 C6 45 ?? 65 C6 45 ?? 74 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F C6 45 ?? 63 C6 45 ?? 4\r\n $str3 = { C6 85 ?? FD FF FF 4C C6 85 ?? FD FF FF 6F C6 85 ?? FD FF FF 61 C6 85 ?? FD FF FF 64 C6 85 ?? F\r\n $str4 = { C6 85 ?? FC FF FF 57 C6 85 ?? FC FF FF 61 C6 85 ?? FC FF FF 69 C6 85 ?? FC FF FF 74 C6 85 ?? F\r\n condition:\r\n uint16(0) != 0x5A4D and uint32(0) != 0x464c457f and uint32(0) != 0xBEBAFECA and uint32(0) != 0xFEEDFACE\r\n}\r\nYARA-L Hunting Rules\r\nThe YARA-L syntax is derived from the YARA language developed by VirusTotal. The language works in\r\nconjunction with the Chronicle Detection Engine and enables you to hunt for threats and other events across large\r\nvolumes of data.\r\nFind out more about Google Chronicles.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 11 of 15\n\nrule hunting_T1091_User Execution: Malicious File\r\n{\r\n meta:\r\n rule_name = \"Replication Through Removable Media\"\r\n description = \"This rule detects a file write event from a RECYCLER/S named path to another directory\"\r\nauthor = \"Mandiant Managed Defense\"\r\n mitre_technique_name = \"User Execution: Malicious File\"\r\n mitre_technique = \"T1204\"\r\n mitre_tactic_name = \"Execution\"\r\n platform = \"Windows\"\r\n \r\n events:\r\n $e.target.process.path = \":\\RECYCLER.BIN\\\" nocase or\r\n $e.target.process.path = \":\\RECYCLERS.BIN\\\" nocase\r\n }\r\n condition:\r\n $e\r\n}\r\nrule hunting_T1091_Replication_Through_Removable_Media\r\n{\r\n meta:\r\n rule_name = \"Replication Through Removable Media\"\r\n description = \"This rule detects windows explorer process execution with a suspicious folder path specified\r\nauthor = \"Mandiant Managed Defense\"\r\n mitre_technique_name = \"Replication Through Removable Media\"\r\n mitre_technique = \"T1091\"\r\n mitre_tactic_name = \"Lateral Movement,Initial Access\"\r\n platform = \"Windows\"\r\n events:\r\n $e.target.process = \"explorer.exe\" and\r\n {\r\n re.regex($e.principal.process.command_line, = `/explorer.exe?(\\\")?\\s+(\\\")?[A-BD-Za-bd-z]:\\\\/`) nocase and\r\n re.regex($e.principal.process.full_path, `:\\\\[^\\\\]+\\.exe$`) nocase\r\n }\r\n condition:\r\n $e\r\n}\r\nIndicators of Compromise\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 12 of 15\n\nMalware Family File Name MD5\r\nSOGU AvastAuth.dat ebb7749069a9b5bcda98d89f04d889db\r\nSOGU hex.dll b061d981d224454ffd8d692cf7ee92b7\r\nSOGU adobeupdate.dat 38baabddffb1d732a05ffa2c70331e21\r\nSOGU SmadHook32c.dll fc55344597d540453326d94eb673e750\r\nSOGU smadavupdate.dat 028201d92b2b41cb6164430232192062\r\nSOGU wsc.dll 722b15bbc15845e4e265a1519c800c34\r\nSOGU SmadavMain.exe ab5d85079e299ac49fcc9f12516243de\r\nFROZENHILL coreclr.dll 848feec343111bc11cceb828b5004aad\r\nZIPZAG ZIPDLL.dll e1cea747a64c0d74e24419ab1afe1970\r\nMalware Family Network IOCs\r\nSNOWYDRIVE www.beautyporntube[.]com\r\nSOGU 45.142.166[.]112 \r\nSOGU 103.56.53[.]46\r\nSOGU 45.251.240[.]55\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 13 of 15\n\nSOGU 43.254.217[.]165\r\nAbout Managed Defense Hunting \r\nCyber security hunting missions are a way to look for security breaches that bypass an organization's security\r\ncontrols. Managed Defense hunting missions based on Mandiant’s real-time intelligence mapped to the MITRE\r\nATT\u0026CK framework.\r\nFind out more about Managed Defense.\r\nAbout Threat Campaigns\r\nGreater visibility into attacker operations: Threat Campaigns provides you with detailed information about active\r\ncampaigns, including the tactics, techniques, and infrastructure used by attackers. This information can help you\r\nidentify new threats and vulnerabilities, and prioritize your defensive actions.\r\nFind out more about Threat Campaigns.\r\nMandiant Security Validation Actions\r\nMandiant Advantage Security Validation can automate the following process to give you real data on how your\r\nsecurity controls are performing against these threats.\r\nThe following table is a subset of MSV actions for one of the malware variants. Find out more about Mandiant\r\nSecurity Validation.\r\nVID Name\r\nA106-\r\n036\r\nProtected Theater - TEMP.Hex, SOGU, Execution, Variant #1\r\nA106-\r\n037\r\nProtected Theater - TEMP.Hex, SOGU, Execution via Malicious LNK, Variant #1 \r\nA106-\r\n046\r\nCommand and Control - TEMP.Hex, SOGU, Beacon, Variant #1\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 14 of 15\n\nA106-\r\n045\r\nProtected Theater - TEMP.Hex, SOGU, Create Install Directory, Variant #1\r\nA106-\r\n049\r\nHost CLI - TEMP.Hex, SOGU, Establish Persistence via Registry Run Key, Variant #1\r\nA106-\r\n051\r\nProtected Theater - TEMP.Hex, SOGU, Establish Persistence via Registry Run Key, Variant #1\r\nA106-\r\n052\r\nProtected Theater - TEMP.Hex, SOGU, Network Registry Key Change, Variant #1\r\nA106-\r\n060\r\nHost CLI - TEMP.Hex, SOGU, Enumeration, Variant #1\r\nS100-257\r\nMalicious Activity Scenario - TEMP.Hex Campaign Spreading SOGU via Infected USB Drives,\r\nVariant #1\r\nAcknowledgements\r\nThis blog post is dedicated to the analysts in the Managed Defense team for their tireless work to develop new\r\nways in defending our clients around the clock.\r\nSpecial thanks to Matt Williams for his assistance in analyzing the malware samples and Matthew Hoerger and\r\nLexie Aytes for creating the Mandiant Security Validation (MSV) actions. Martin Co for his inputs and review of\r\nthis blog post.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/\r\nPage 15 of 15\n\n https://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/ \nMalware Family File Name MD5\nSOGU AvastAuth.dat ebb7749069a9b5bcda98d89f04d889db\nSOGU hex.dll b061d981d224454ffd8d692cf7ee92b7\nSOGU adobeupdate.dat 38baabddffb1d732a05ffa2c70331e21\nSOGU SmadHook32c.dll fc55344597d540453326d94eb673e750\nSOGU smadavupdate.dat 028201d92b2b41cb6164430232192062\nSOGU wsc.dll 722b15bbc15845e4e265a1519c800c34\nSOGU SmadavMain.exe ab5d85079e299ac49fcc9f12516243de\nFROZENHILL coreclr.dll 848feec343111bc11cceb828b5004aad\nZIPZAG ZIPDLL.dll e1cea747a64c0d74e24419ab1afe1970\nMalware Family Network IOCs\nSNOWYDRIVE www.beautyporntube[.]com\nSOGU 45.142.166[.]112\nSOGU 103.56.53[.]46\nSOGU 45.251.240[.]55\n Page 13 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/" ], "report_names": [ "infected-usb-steal-secrets" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f73a585ed57ec751f62a282541cafe4aa59e70c1.pdf", "text": "https://archive.orkl.eu/f73a585ed57ec751f62a282541cafe4aa59e70c1.txt", "img": "https://archive.orkl.eu/f73a585ed57ec751f62a282541cafe4aa59e70c1.jpg" } }