S1230: HIUPAN
HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024. [1][2]
Analyst context for executives and security teams
HIUPAN is a Windows worm associated in ATT&CK with removable-drive propagation. Its practical significance is that infection paths may cross normal network boundaries, including environments where USB media is used to move files between isolated or operational systems. Even without an official ATT&CK detection section, the related behaviors point defenders toward removable media activity, user-executed malicious files, registry persistence, hidden files, DLL abuse, and discovery of processes and peripherals.
Executive priority
Treat this as a control-validation issue for removable media governance and endpoint visibility. Leaders should ask whether the organization can prove where removable drives are used, whether execution from those drives is controlled, whether Windows startup and registry persistence are monitored, and whether incident response playbooks cover malware movement through USB media. This matters for business continuity where isolated, field, lab, manufacturing, or sensitive administrative systems rely on portable storage.
Technical view
For SOC, detection engineering, and IR teams, the supplied ATT&CK relationships make the validation path clear: focus on Windows endpoints and correlate removable media insertion or file creation with execution, hidden file attributes, registry modification, Run key or Startup folder persistence, DLL loading behavior, peripheral discovery, process discovery, and delayed execution patterns. Because ATT&CK provides no official detection text for HIUPAN, coverage should be assessed through the related techniques rather than malware-specific signatures alone.
Likely telemetry
- Windows removable media insertion and volume mount events
- File creation, rename, copy, and execution events on removable drives
- Endpoint process creation and parent-child process relationships
- Windows Registry modification events, especially persistence-related locations
- Run key and Startup folder change monitoring
Detection direction
- Build correlations around USB insertion followed by executable, script, shortcut, DLL, or document execution from the removable volume or from files copied shortly after insertion.
- Tune for persistence evidence: new or modified Run keys, Startup folder entries, and registry changes occurring near removable media activity.
- Review hidden file or directory creation on removable drives and local staging paths; account for legitimate administrative tools and software installers to reduce false positives.
- Correlate process discovery and peripheral discovery activity with removable-media execution rather than treating those behaviors as high-confidence by themselves.
- Validate DLL abuse visibility by confirming endpoint telemetry captures module loads and suspicious DLL placement near user-writable or removable-media paths.
Mitigation priorities
- Prioritize removable media policy and technical controls, including restricting or approving USB storage use where business processes allow.
- Disable or limit automatic execution behavior for removable media and require scanning before files are opened or transferred.
- Reduce execution risk from portable media through application control, least privilege, and blocking untrusted executables where feasible.
- Monitor and protect Windows registry persistence locations and Startup folders from unauthorized change.
- Train users and administrators who handle removable media to report unexpected files, shortcuts, hidden content, or prompts to run files.
Analyst notes and limits
ATT&CK identifies HIUPAN, also known as U2DiskWatch, as a removable-drive-propagating worm leveraged by Mustang Panda and first observed in 2024, based on the supplied IBM and Trend Micro references. The relationship set is especially useful because it maps the malware to concrete behaviors defenders can validate: T1091, T1204.002, T1112, T1547.001, T1564.001, T1574.001, T1120, T1057, and T1678.
The official object has no ATT&CK detection guidance and no tactics specified at the malware-object level. This take does not assert current exploitation, customer exposure, or guaranteed detection. Local control evidence, endpoint telemetry quality, and removable-media business processes are required to determine actual risk and coverage.
HIUPAN
HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024. [1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1091 | Replication Through Removable Media | HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be found HIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory ` |
| Enterprise | T1112 | Modify Registry | HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1678 | Delay Execution | HIUPAN has used a config file “$.ini” to store a sleep multiplier to execute at a set interval value prior to initiating a watcher function that checks for a specific running process, that checks for removable drives and installs itself and supporting files if one is available.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | HIUPAN has added Registry Run keys to achieve persistence using `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | HIUPAN has lured victims into executing malicious files from USBs including the use of files such as USBconfig.exe.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | HIUPAN has abused legitimate executables to side-load malicious DLLs to include the legitimate exe UsbConfig.exe.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1120 | Peripheral Device Discovery | HIUPAN has checked periodically for removable drives and installs itself when a drive is detected.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3279ebfc4b9b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
Open source URL -
[2]
Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024
Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
Open source URL -
[3]
mitre-attack S1230Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.