USBCulprit: USB-borne Air-Gap Malware

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

3 Scopus citations


Air-gapped networks are disconnected from the Internet due to the sensitive data they store and process. These networks are usually maintained by military organizations, defense industries, critical infrastructures, and more. Malware that is capable of jumping air-gaps is rare findings. In June 2020, researchers in Kaspersky security firm reported USBCulprit, an Advanced Persistent Threat (APT) which seems to be designed to reach air-gapped networks. The malware includes lateral movement, spreading, and data exfiltrations mechanisms via USB thumb drives. We tested and reverse-engineered the sample of USBCulprit, and investigated its internal design, modules, and techniques. Especially, we revised the data collection and air-gap exfiltration mechanisms. We also present a video clip showing the actual attack on our in-lab air-gapped network and discuss a set of defensive countermeasures. This analysis in important for the understanding and mitigation of USB-borne APTs.

Original languageEnglish
Title of host publicationProceedings of the 2021 European Interdisciplinary Cybersecurity Conference, EICC 2021
PublisherAssociation for Computing Machinery
Number of pages7
ISBN (Electronic)9781450390491
StatePublished - 10 Nov 2021
Event2021 European Interdisciplinary Cybersecurity Conference, EICC 2021 - Virtual, Online, Romania
Duration: 10 Nov 202111 Nov 2021

Publication series

NameACM International Conference Proceeding Series


Conference2021 European Interdisciplinary Cybersecurity Conference, EICC 2021
CityVirtual, Online


  • APT
  • Air-gap
  • Covert channels
  • Malware
  • USB
  • exfiltration

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software


Dive into the research topics of 'USBCulprit: USB-borne Air-Gap Malware'. Together they form a unique fingerprint.

Cite this