S0452: USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]
Analyst context for executives and security teams
USBferry matters because it represents malware designed for information theft in environments where removable media can bridge network separation. For executives and security leaders, the key issue is not only malware detection on Windows endpoints, but whether air-gapped or restricted networks have enforceable controls, logging, and incident procedures for USB-based movement and data collection.
Executive priority
Prioritize USBferry as a resilience and governance concern where Windows systems, removable media, sensitive data, or segmented/air-gapped operations are in scope. Leaders should ask whether removable media use is approved, monitored, and auditable; whether SOC and IR teams can reconstruct activity on isolated systems; and whether compliance evidence exists for media handling, endpoint logging, and data protection controls.
Technical view
MITRE identifies USBferry as Windows information-stealing malware associated through ATT&CK relationships with data collection, host and network discovery, Windows command shell execution, removable media replication, peripheral discovery, and rundll32 proxy execution. SOC and IR teams should validate visibility for removable media insertions, file writes to and from removable drives, suspicious command shell activity, rundll32 execution patterns, local account/process/file discovery, and network configuration or connection enumeration on Windows hosts. Relationship context links use by Tropic Trooper, but local detection should be behavior-led rather than attribution-led.
Likely telemetry
- Windows endpoint process creation telemetry, especially cmd.exe and rundll32.exe execution context
- Removable media insertion, mounting, file copy, and write events
- Endpoint file system activity covering sensitive directories and removable drives
- Local account, process, file, directory, peripheral, and network discovery command evidence
- Network configuration and connection enumeration logs where available
Detection direction
- Confirm that Windows systems using removable media generate usable logs before, during, and after USB insertion events.
- Tune for suspicious combinations: removable media activity followed by command shell execution, discovery commands, file staging, or rundll32-based execution.
- Review allowlisting and false-positive handling for rundll32.exe because legitimate administrative and software activity can resemble abuse.
- Hunt for discovery behavior across local accounts, running processes, files/directories, network configuration, remote systems, peripherals, and active connections, especially on sensitive or segmented hosts.
- Do not rely on network-only monitoring for air-gapped or restricted environments; endpoint and removable-media telemetry may be the deciding evidence.
Mitigation priorities
- Establish and enforce removable media policy for sensitive Windows environments, including approval, scanning, and audit requirements.
- Reduce unnecessary USB access and apply least-functionality controls where removable media is not operationally required.
- Maintain endpoint logging and response tooling that works for isolated or intermittently connected systems.
- Harden execution controls around removable media and commonly abused Windows utilities such as cmd.exe and rundll32.exe without assuming they can be blocked universally.
- Prepare IR procedures for evidence collection from air-gapped or segmented systems, including chain-of-custody and safe media handling.
Analyst notes and limits
The ATT&CK object provides no official detection text, so this take derives defensive direction from the official description and the listed technique relationships. The strongest decision value is in validating removable-media governance, Windows endpoint telemetry, and IR readiness for environments where network separation may create monitoring blind spots.
The supplied object lists Windows as the malware platform and does not specify tactics directly. Several related ATT&CK techniques have broader platform listings, but this summary does not extend USBferry beyond the supplied Windows platform. No claim is made about current activity, customer exposure, guaranteed detection, or impact beyond the official description and relationships.
USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.001 | Local Account Sub-technique | USBferry can use |
| Enterprise | T1018 | Remote System Discovery | USBferry can use |
| Enterprise | T1083 | File and Directory Discovery | USBferry can detect the victim's file or folder list.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | USBferry can check for connected USB devices.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | USBferry can detect the infected machine's network topology using |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | USBferry can execute various Windows commands.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1091 | Replication Through Removable Media | USBferry can copy its installer to attached USB storage devices.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | USBferry can execute rundll32.exe in memory to avoid detection.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1005 | Data from Local System | USBferry can collect information from an air-gapped host machine.CitationTrendMicro Tropic Trooper May 2020 |
| Enterprise | T1057 | Process Discovery | USBferry can use |
| Enterprise | T1049 | System Network Connections Discovery | USBferry can use |
Groups, software, and campaigns
G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8f6f20438914… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Tropic Trooper May 2020
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
Open source URL -
[2]
mitre-attack S0452Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.