The USB Threat Is Back: New Multi-Stage Cryptomining Attack Spreads via Infected Drives

CyberProof’s MDR analysts have uncovered a multi-stage cryptomining attack delivered via infected USB devices, demonstrating the persistent threat of removable media in corporate environments.

The incident began with what appeared to be a simple USB infection but quickly escalated into a complex malware chain. According to the report, “CyberProof MDR analysts alerted Threat Hunters on an incident originating from an infected USB device that could lead to a backdoor infection and cryptomining through a multi-stage attack leveraging DLL search order hijacking and PowerShell to bypass security.”

Further investigation linked the activity to XMRig/Zephyr cryptominer campaigns, echoing tactics from earlier global operations. The researchers emphasized that “the malware was blocked by the organization’s EDR during the final stages of the miner attack”, preventing full execution.

In fact, similar activity was reported by Azerbaijan’s CERT in October 2024, which uncovered an extensive scheme dubbed Universal Mining. As CyberProof notes: “Azerbaijan’s CERT also reported about uncovering and disclosing information about a large-scale international cryptocurrency mining scheme, which they named ‘Universal Mining’.”

Telemetry data shows that the worm-like spread of infected USBs has reached multiple regions, with finance, healthcare, education, manufacturing, telecom, and oil & gas sectors among the most affected industries.

The infection typically begins with the execution of a malicious VBScript file residing on the USB device. The script, usually disguised under filenames starting with an “x” followed by six random digits, initiates further payload delivery.

The report explains: “This is followed by execution of a batch file via Command Prompt, as a child process of wscript… Note the launch of xcopy.exe to copy printui.exe from %system32% folder to newly created folder under the path – C:\Windows \System32 (note the extra space here).”

This path manipulation is then used for DLL search order hijacking. A malicious printui.dll is sideloaded into the altered directory structure, enabling execution of cryptominer code. Fortunately, security monitoring tools were able to intercept this behavior.

Despite decades of warnings, infected USB drives remain a viable entry vector for threat actors. As the report concludes: “The continued prevalence of cryptomining attacks originating from infected USB drives, even in mid-2025, serves as a powerful reminder of a fundamental security challenge.”

Related Posts:

• Security Expert Announces PoC to Crashes All Recent Windows
• Android 16’s New Security Feature Could Slow Down Your Fast Charging