Cyberwarfare / Nation-State Attacks
,
Endpoint Security
,
Fraud Management & Cybercrime
Reused USB Drives Linked to China Spread Malware to Private Sector
Counterfeit flash drives embedded with a Chinese-linked computer virus and used by the Japanese army are now dispensing malware throughout other secure networks in the country.
See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.
First reported by The Nikkei newspaper, the virus was overlooked until February 2025, when military personnel reported slower device speeds – almost a full year after the flash drives were delivered to Japan’s Self-Defense Forces in March 2024.
According to internal documents, the original source of procurement for the drives is no longer verifiable. An investigation by the army’s Cyber Defense Unit found that six of eight USB drives analyzed contained the malicious program, with more than 50 out of 480 computers infected. Roughly half of the computers affected ran on closed internal networks.
Both Japan’s Self-Defense Forces and Defense Ministry rely on open and closed systems, using closed or isolated networks for storing classified military data such as unit movements or orders, often transferring data externally with USB flash drives.
The Defense Ministry said the malware had “no impact” on military systems, with no evidence of “information exfiltration or external communication.”
Researchers attribute the malware spread to users connecting the counterfeit drives to computers and reusing the devices on any number of non-government systems, allowing the infection to spread beyond military networks and into private-sector organizations.
The malware family is linked to Chinese-aligned APT group Mustang Panda, though no attribution has been publicly confirmed. Also known as Earth Preta or Camaro Dragon, the threat group is linked to several cyberespionage campaigns using removable or portable media to load viruses, gain network access and exfiltrate sensitive data.
The reality is that portable media is critical to how infrastructure operates and is likely here to stay, said InfraShield President and CEO Mark Rorabaugh.
“Portable media is not going away. Critical infrastructure operators rely on USB drives and other removable media every day for software updates, diagnostics, engineering activities, data collection and vendor support,” Rorabaugh said.
“The goal should not be to eliminate portable media, but to manage it securely.”
Blended cyber-physical operations are often overlooked in the broader cyberthreat landscape, and they rely on human behavior and social engineering as much as technological gaps, with most people viewing USB drives more as “convenient productivity” tools and less as a “potential weapon” used against secure environments.
Rorabaugh offered a sentiment well-aligned with military operations: “Introducing an unauthorized USB device into a secure environment is the cyber equivalent of carrying a live grenade through the front door of a protected facility.”
According to The Nikkei, malicious flash drives remain for sale through online retailers in China but it didn’t disclose the specific malware family targeting Japan’s primary military branch. USB usage for file and information sharing is a core component of many major industries such as healthcare, education, manufacturing and finance – some of which are now reporting similar infections on closed systems in Japan.
In recent years, U.S. intelligence agencies foretold of an increase in sophisticated cyberattacks carried out by China-linked hackers and threat groups through embedded malware campaigns on the United States and other countries.
In the United States alone, law firms, major telecoms and even professional social media platforms such as LinkedIn have been exploited, with removable or portable media representing just one resource in China’s vast cyberespionage toolkit.