1. Home
  2. Software
  3. HIUPAN

HIUPAN

HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024. [1][2]

ID: S1230
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 06 August 2025
Last Modified: 21 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

HIUPAN has added Registry Run keys to achieve persistence using HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[1][2]
Enterprise T1678 Delay Execution

HIUPAN has used a config file "$.ini" to store a sleep multiplier to execute at a set interval value prior to initiating a watcher function that checks for a specific running process, that checks for removable drives and installs itself and supporting files if one is available.[1][2]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.[1][2]
Enterprise T1574 .001 Hijack Execution Flow: DLL

HIUPAN has abused legitimate executables to side-load malicious DLLs to include the legitimate exe UsbConfig.exe.[1][2]
Enterprise T1112 Modify Registry

HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.[1][2]
Enterprise T1120 Peripheral Device Discovery

HIUPAN has checked periodically for removable drives and installs itself when a drive is detected.[1][2]
Enterprise T1057 Process Discovery

HIUPAN has conducted process discovery to identify the PUBLOAD malware under the process WCBrowserWatcher.exe and will launch it from an install directory if it is not found.[2]
Enterprise T1091 Replication Through Removable Media

HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be found HIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory <Drive_Letter>:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\ and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device.[1][2]
Enterprise T1204 .002 User Execution: Malicious File

HIUPAN has lured victims into executing malicious files from USBs including the use of files such as USBconfig.exe.[1][2]

Groups That Use This Software

ID Name References
G0129 Mustang Panda

[1][2]

References

  1. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  1. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.