USB Malware Chained with Text Strings on Legitimate Websites Attacks Users

Despite the evolution of several tools and tactics, threat actors still go with the traditional approach to attack victims for malicious purposes. One such threat actor is UNC4990, which uses USB devices to exploit victims. UNC4990 is a financially motivated threat actor and has been conducting campaigns since 2020.

There has been a continuous evolution of this threat actor’s activities. With that being said, the recent tactics involved the use of popular and legitimate websites such as GitHub, GitLab, Ars Technica and Vimeo. 

In addition, the threat actor has been using EMPTYSPACE downloader and QUIETBOARD backdoor. EMPTYSPACE is capable of executing any payload served from the command and control servers, and QUIETBOARD is also delivered using EMPTYSPACE.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

USB Malware Chained with Text Strings

Initial Vector

According to the reports shared with Cyber Security News, the threat actor begins the infection chain by delivering the USB drives to the victims by any means of social engineering. Once the victim connects the USB to their device, the USB removable device is shown with a shortcut (.LNK extension) under the vendor name.

Infection Chain | Source : Mandiant

When the victims open this malicious LNK shortcut file, it executes a PowerShell script (explorer.ps1), which contains the following command. 

“C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle has hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1”

The explorer.ps1 is an encoded PowerShell script that checks for specific conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader. 


From the beginning of 2023, the threat actor replaced GitHub with Vimeo, a video-sharing website. A video was added to Vimeo in which the description had the hard-coded payload. However, this video was removed now. Additionally, the Vimeo URL was also embedded inside the explorer.ps1 script.

In mid of December 2023, it was discovered that the threat actor had been using Ars Technica by using an image embedded with the payload. As a backup, the threat actor had also updated the EMPTY SPACE serving URL, which had an additional string.

Furthermore, there have been several versions of EMPTYSPACE loader used by the threat actor, such as the Node JS version, .NET version, and Python version alongside QUIETBOARD.

This Python-based backdoor can execute arbitrary code, cryptocurrency theft, USB drive infection, screenshotting, information gathering, and C2 communications.

Indicators of Compromise

Host-based IOCs

IOCSHA-256Associated Malware Family
explorer.ps172f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084bePowerShell Script
%TEMP%\Runtime Broker.exea4f20b60a50345ddf3ac71b6e8c5ebcb9d069721b0b0edc822ed2e7569a0bb40EMPTYSPACE Downloader (Node.JS Variant)
Runtime Broker.exe8a492973b12f84f49c52216d8c29755597f0b92a02311286b1f75ef5c265c30dEMPTYSPACE Downloader (.NET Variant)
C:\Program Files (x86)\WinSoft Update Service\bootstrap.pycV1: 060882f97ace7cb6238e714fd48b3448939699e9f085418af351c42b401a1227EMPTYSPACE Downloader (Python Variant)
V2: 8c25b73245ada24d2002936ea0f3bcc296fdcc9071770d81800a2e76bfca3617
V3: b9ffba378d4165f003f41a619692a8898aed2e819347b25994f7a5e771045217
V4: 84674ae8db63036d1178bb42fa5d1b506c96b3b22ce22a261054ef4d021d2c69
C:\Program Files (x86)\WinSoft Update Service\program.pyz15d977dae1726c2944b0b4965980a92d8e8616da20e4d47d74120073cbc701b3QUIETBOARD Backdoor
C:\windows\runtimebroker .exe71c9ce52da89c32ee018722683c3ffbc90e4a44c5fba2bd674d28b573fba1fdcQUIETBOARD associated file
C:\Program Files (x86)\pyt37\python37.zip539a79f716cf359dceaa290398bc629010b6e02e47eaed2356074bffa072052fQUIETBOARD associated file

Network-Based IOCs


  • hxxps://bobsmith.apiworld[.]cf/license.php
  • hxxps://arstechnica[.]com/civis/members/frncbf22.1062014/about/
  • hxxps://evinfeoptasw.dedyn[.]io/updater.php
  • hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1
  • hxxps://eldi8.github[.]io/src.txt
  • hxxps://evh001.gitlab[.]io/src.txt
  • hxxps://vimeo[.]com/api/v2/video/804838895.json
  • hxxps[://]monumental[.]ga/wp-admin[.]php
  • hxxp[://]studiofotografico35mm[.]altervista[.]org/updater[.]php
  • hxxp[://]ncnskjhrbefwifjhww[.]tk/updater[.]php
  • hxxp[://]geraldonsboutique[.]altervista[.]org/updater[.]php
  • hxxps[://]wjecpujpanmwm[.]tk/updater[.]php
  • hxxps[://]captcha[.]grouphelp[.]top/updater[.]php
  • hxxps[://]captcha[.]tgbot[.]it/updater[.]php
  • hxxps://[.]org/runservice/api/public.php
  • hxxps[://]luke[.]compeyson[.]eu[.]org/wp-admin[.]php
  • hxxps://[.]org/runservice/api/public_result.php
  • hxxps://eu1.microtunnel[.]it/c0s1ta/index.php
  • hxxps[://]davebeerblog[.]eu[.]org/wp-admin[.]php
  • hxxps://lucaespo.altervista[.]org/updater.php
  • hxxps://lucaesposito.herokuapp[.]com/c0s1ta/index.php
  • hxxps://euserv3.herokuapp[.]com/c0s1ta/index.php
Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.