S1230 HIUPAN
HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024. 12
| Item | Value |
|---|---|
| ID | S1230 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 August 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | HIUPAN has added Registry Run keys to achieve persistence using HKCU\Software\Microsoft\Windows\CurrentVersion\Run.12 |
| enterprise | T1678 | Delay Execution | HIUPAN has used a config file “$.ini” to store a sleep multiplier to execute at a set interval value prior to initiating a watcher function that checks for a specific running process, that checks for removable drives and installs itself and supporting files if one is available.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.12 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | HIUPAN has abused legitimate executables to side-load malicious DLLs to include the legitimate exe UsbConfig.exe.12 |
| enterprise | T1112 | Modify Registry | HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.12 |
| enterprise | T1120 | Peripheral Device Discovery | HIUPAN has checked periodically for removable drives and installs itself when a drive is detected.12 |
| enterprise | T1057 | Process Discovery | HIUPAN has conducted process discovery to identify the PUBLOAD malware under the process WCBrowserWatcher.exe and will launch it from an install directory if it is not found.2 |
| enterprise | T1091 | Replication Through Removable Media | HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be found HIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory <Drive_Letter>:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\ and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device.12 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | HIUPAN has lured victims into executing malicious files from USBs including the use of files such as USBconfig.exe.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 12 |
References
-
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩