Attackers leverage USB drives laced with a covert Visual Basic Script, which enables the transfer of files to the Windows System32 directory, which are later used to sideload the cryptominer-downloading DLL, a report from CyberProof's Managed Detection and Response team. Despite the campaign being averted by endpoint detection and response tools, "the continued prevalence of cryptomining attacks originating from infected USB drives, even in mid-2025, serves as a powerful reminder of a fundamental security challenge," said CyberProof researchers. Organizations have been urged to better defend their systems from such compromise by adopting device control policies thwarting unsigned USB executables, deactivating autorun and autoplay across all systems, implementing obfuscated script-detecting EDR solutions and physical security measures, as well as strengthening key system process protections.
Threat Intelligence, Hardware
Cryptominer deployed via compromised USB devices
(Adobe Stock)
Infected USB devices have been used to compromise organizations in the U.S., Europe, Asia, Africa, and Australia with cryptomining malware related to XMRig or Zephyr as part of an attack campaign, according to Infosecurity Magazine.
Attackers leverage USB drives laced with a covert Visual Basic Script, which enables the transfer of files to the Windows System32 directory, which are later used to sideload the cryptominer-downloading DLL, a report from CyberProof's Managed Detection and Response team. Despite the campaign being averted by endpoint detection and response tools, "the continued prevalence of cryptomining attacks originating from infected USB drives, even in mid-2025, serves as a powerful reminder of a fundamental security challenge," said CyberProof researchers. Organizations have been urged to better defend their systems from such compromise by adopting device control policies thwarting unsigned USB executables, deactivating autorun and autoplay across all systems, implementing obfuscated script-detecting EDR solutions and physical security measures, as well as strengthening key system process protections.
Attackers leverage USB drives laced with a covert Visual Basic Script, which enables the transfer of files to the Windows System32 directory, which are later used to sideload the cryptominer-downloading DLL, a report from CyberProof's Managed Detection and Response team. Despite the campaign being averted by endpoint detection and response tools, "the continued prevalence of cryptomining attacks originating from infected USB drives, even in mid-2025, serves as a powerful reminder of a fundamental security challenge," said CyberProof researchers. Organizations have been urged to better defend their systems from such compromise by adopting device control policies thwarting unsigned USB executables, deactivating autorun and autoplay across all systems, implementing obfuscated script-detecting EDR solutions and physical security measures, as well as strengthening key system process protections.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds