Inside the BRUSHWORM Malware Campaign Bridging Air-Gaps with USB “Sleeper” Cells
Ddos 
A recent investigation by Elastic Security Labs has uncovered a targeted campaign against a South Asian financial institution. While the malware involved lacks the high-gloss polish of elite state-sponsored tools, its functional design proves that even “inexperienced” developers can build a platform capable of significant damage.
The intrusion revolves around two custom binaries: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger designed to stay hidden through DLL side-loading.
BRUSHWORM acts as the campaign’s primary implant. It is a multitasking tool responsible for installation, C2 communication, andβmost notablyβspreading like a digital virus through removable media.
Upon execution, the malware performs a series of “straightforward” environment checks to detect if it is being analyzed in a sandbox.
- Evasion: It checks for screen resolutions smaller than 1024Γ768 and monitors for mouse movement over a 5-minute window; if no movement is detected, it terminates.
- Persistence: To ensure it survives a system reboot, it creates a Windows scheduled task named MSGraphics.
One of the most dangerous features of BRUSHWORM is its ability to operate in “Offline Mode”. If the malware fails its internet connectivity check, it doesn’t give up. Instead, it copies stolen files and itself to any connected USB drives using lure filenames like Salary Slips.exe and Important.exe.
“This behavior serves as a data exfiltration bridge for environments with restricted or air-gapped network access using USB drives to physically carry stolen data off the network.”
Supplementing the backdoor is BRUSHLOGGER, a 32-bit DLL that masquerades as the legitimate libcurl.dll library.
BRUSHLOGGER uses a low-level keyboard hook to capture keystrokes system-wide. Unlike simple loggers, it tracks the window context, recording exactly which application the victim was typing in along with a timestamp. To hide its tracks, it saves these logs in an XOR-encrypted format using the hardcoded key 0x43.
Researchers noted several implementation flaws that suggest the author might be relatively new to the game. For instance, the backdoor writes its decrypted configuration to disk in cleartext before deleting it, a mistake that leaves a clear trail for investigators.
“We assess with moderate confidence that the author is relatively inexperienced and may have leveraged AI code-generation tools during development without fully reviewing the output.”
Despite these “low sophistication” flaws, the campaign remains a threat because it works. The combination of modular payload loading, USB propagation, and broad file theft creates a “functional collection platform” that is actively being refined.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
