HIUPAN
HIUPAN, also known as U2DiskWatch and in some reporting associated with MISTCLOAK, is a Windows USB-propagating worm used in China-aligned espionage activity, most notably by Mustang Panda (also tracked as Stately Taurus, Earth Preta, and Hive0154 in cited reporting). It spreads via removable drives and has been used to propagate follow-on malware including PUBLOAD, Claimloader, and related payloads, including in campaigns targeting Taiwan and a Southeast Asian government. Reporting states it has been used to support lateral movement across multiple endpoints and, in some cases, to reach air-gapped environments through infected USB devices.
HIUPAN has lured victims into executing malicious files from USB media, including a legitimate executable named UsbConfig.exe (also written as USBconfig.exe), which is abused for DLL sideloading. Specifically, HIUPAN’s main DLL u2ec.dll is sideloaded through UsbConfig.exe when a user executes it from a USB device. The malware has also been described as using rogue DLL components such as Claimloader to decrypt and execute shellcode in memory as part of the PUBLOAD infection chain.
Behavior described in the source material includes modifying Windows Registry settings under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced to hide files and file extensions, aiding concealment on infected removable media and hosts. HIUPAN’s configuration reportedly allows operators to swap propagated payloads easily. Closely related tooling, including USBFect, has been described as a worm related to the HIUPAN family and used in similar USB-based propagation chains.
The malware is associated with espionage-focused targeting of government and related entities in Asia, including Taiwan, the Philippines, and a Southeast Asian government organization. High-confidence indicators and artifacts directly mentioned in the content include the aliases U2DiskWatch and MISTCLOAK, the legitimate sideloading executable UsbConfig.exe/USBconfig.exe, the malicious DLL u2ec.dll, and the registry path HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The cybersecurity firm ... said it observed "the propagation of PUBLOAD via a variant of the worm HIUPAN." Mustang Panda's use of removable drives as a propagation vector for HIUPAN was previously documented by Trend Micro in March 2023.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
3 techniquesThe content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
Persistence
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
1 techniqueThe content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
3 techniquesDefense Impairment
1 techniqueDiscovery
2 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Lateral Movement
2 techniquesMustang Panda's use of removable drives as a propagation vector for HIUPAN was previously documented by Trend Micro in March 2023.
USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family used in a 2025 China-linked cyber campaign against a Southeast Asian government to help achieve persistent access and exfiltrate sensitive data.
A malware family closely related to USBFect; referenced as part of lateral spread via removable media in the campaign.
USB-based malware used to deliver the PUBLOAD backdoor.
The “Stately Taurus” cluster involved tools including HIUPAN, USBFect, PUBLOAD (spread via USB), and CoolClient variants.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.