Global USB Malware Outbreak Installs Cryptocurrency Miner Software Across Countries
In the year 2025, a multi-stage malware attack was identified, involving DLL search order hijacking and PowerShell, and traced back to infected USB drives. This malicious campaign, reminiscent of the international cryptocurrency mining scheme known as "Universal Mining," exposed by Azerbaijan's CERT in October 2024, has continued to be prevalent, affecting organizations worldwide.
The attack begins with a Visual Basic script on USB drives, initiating a chain of processes including xcopy.exe. These processes move files into the Windows System32 directory, enabling the side-loading of a malicious DLL. The malicious DLL, linked to earlier Zephyr (XMRig) activity, is designed to download a cryptominer.
CyberProof's research, which traced the spread of the campaign through multiple intelligence sources and telemetry, revealed that organizations affected by this USB device malware attack were located in the United States, Germany, and South Korea. The sectors affected included finance, healthcare, and manufacturing. Infections from this campaign have also been observed in the US, several European nations, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia, and Australia.
Organizations lacking strict USB policies remain vulnerable to cryptominer infections and potential insider threats that could escalate into more damaging breaches. To mitigate the risk, several measures have been suggested.
Firstly, it is recommended to harden endpoint security with EDR solutions capable of detecting obfuscated scripts. Secondly, protecting key system processes such as lsass.exe from credential theft attempts is crucial. Thirdly, disabling autorun and autoplay features on all systems can reduce exposure to malware.
Additionally, implementing device control policies to block unsigned executables from USBs can help prevent the malware distribution through infected USB drives. Enforcing physical security measures, including restricting or locking USB ports, is also advisable.
The final stage of the attack was ultimately blocked during the final stage by endpoint detection and response (EDR) tools. However, the persistent nature of this malware attack serves as a reminder of the importance of robust cybersecurity measures and strict USB policies in today's digital landscape.
