S0136: USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]
Analyst context for executives and security teams
USBStealer matters because it represents a practical risk to air-gapped or physically segmented Windows environments: data can move by removable media rather than the Internet. For leaders, the key issue is not only malware detection, but whether policies, logging, removable-media controls, and incident procedures can prove what moved between connected and disconnected systems.
Executive priority
Prioritize this behavior where sensitive operations rely on air gaps, removable media workflows, or Windows systems used to bridge operational and enterprise environments. The ATT&CK relationships point to collection, staging, stealth, removable-media replication, and USB-based exfiltration, so executives should ask whether USB use is governed, monitored, and auditable; whether exceptions are approved; and whether incident responders can reconstruct removable-media activity during an investigation.
Technical view
USBStealer is a Windows malware entry associated in ATT&CK with APT28 and described as lacking Internet communication capability. Defensive validation should focus on the related behaviors: removable media discovery and replication, file and directory discovery, automated collection, local data staging, encrypted or encoded files, file deletion, timestomping, Registry Run Keys or Startup Folder persistence, communication through removable media, and exfiltration over USB. SOC and IR teams should test whether endpoint, Windows registry, file-system, and device-control telemetry can correlate USB insertion, suspicious file creation or copying, persistence changes, staging directories, timestamp anomalies, and subsequent deletion activity.
Likely telemetry
- Windows endpoint process and file activity logs
- USB/removable media insertion, mount, serial number, and file transfer records
- Registry Run Key and Startup Folder change monitoring
- File creation, modification, deletion, and timestamp metadata
- Endpoint security alerts for encoded/encrypted suspicious files or masqueraded filenames
Detection direction
- Validate visibility at the removable-media boundary, not only at network egress, because the official description notes no Internet communication capability.
- Correlate USB insertion events with rapid file enumeration, bulk copying, local staging, file deletion, and timestamp changes.
- Tune detections for legitimate administrative, backup, engineering, or data-transfer workflows to reduce false positives while preserving auditability.
- Review persistence monitoring for Registry Run Keys and Startup Folder changes on Windows systems that are allowed to use removable media.
- Hunt for masquerading and encoded or encrypted artifacts on removable media and local staging paths, using local baselines for trusted file names and locations.
Mitigation priorities
- Inventory where removable media is allowed, especially in air-gapped, high-sensitivity, or cyber-physical environments.
- Restrict and approve USB use based on business need, with compensating controls for required transfer workflows.
- Ensure Windows endpoint logging captures device insertion, file movement, persistence changes, deletion, and timestamp-relevant artifacts.
- Create IR playbooks for removable-media incidents, including preservation of the USB device, host artifacts, and chain-of-custody evidence.
- Harden persistence locations such as Run Keys and Startup folders through monitoring and least-privilege administration.
Analyst notes and limits
The most decision-useful aspect of this object is the air-gap/removable-media pattern. Coverage depends heavily on local USB governance and endpoint artifact retention. The relationship set provides useful hunting themes across collection, discovery, persistence, stealth, lateral movement, command and control through removable media, and exfiltration.
MITRE provides no official detection text for this software object, and tactics are not specified directly on the malware entry. Specific indicators, file names, hashes, and confirmed local exposure are not supplied here, so organizations must rely on their own telemetry, asset context, and approved removable-media workflows for validation.
USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1025 | Data from Removable Media | Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.CitationESET Sednit USBStealer 2014CitationKaspersky Sofacy |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Most strings in USBStealer are encrypted using 3DES and XOR and reversed.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1083 | File and Directory Discovery | USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.CitationESET Sednit USBStealer 2014CitationKaspersky Sofacy |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | USBStealer exfiltrates collected files via removable media from air-gapped victims.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1070.006 | Timestomp Sub-technique | USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | USBStealer registers itself under a Registry Run key with the name "USB Disk Security."CitationESET Sednit USBStealer 2014 |
| Enterprise | T1119 | Automated Collection | For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | USBStealer mimics a legitimate Russian program called USB Disk Security.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1020 | Automated Exfiltration | USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. CitationESET Sednit USBStealer 2014 |
| Enterprise | T1092 | Communication Through Removable Media | USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1091 | Replication Through Removable Media | USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1070.004 | File Deletion Sub-technique | USBStealer has several commands to delete files associated with the malware from the victim.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1120 | Peripheral Device Discovery | USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.CitationESET Sednit USBStealer 2014 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.CitationESET Sednit USBStealer 2014CitationKaspersky Sofacy |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 457177f131d5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Sednit USBStealer 2014
Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
Open source URL -
[2]
Kaspersky Sofacy
Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
Open source URL -
[3]
mitre-attack S0136Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.