HIUPAN has added Registry Run keys to achieve persistence usingHKCU\Software\Microsoft\Windows\CurrentVersion\Run.^[1][2]

HIUPAN has used a config file "$.ini" to store a sleep multiplier to execute at a set interval value prior to initiating a watcher function that checks for a specific running process, that checks for removable drives and installs itself and supporting files if one is available.^[1][2]

HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification ofHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.^[1][2]

HIUPAN has abused legitimate executables to side-load malicious DLLs to include the legitimate exe UsbConfig.exe.^[1][2]

HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification ofHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.^[1][2]

HIUPAN has checked periodically for removable drives and installs itself when a drive is detected.^[1][2]

HIUPAN has conducted process discovery to identify thePUBLOAD malware under the process WCBrowserWatcher.exe and will launch it from an install directory if it is not found.^[2]

HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be foundHIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory<Drive_Letter>:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\ and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device.^[1][2]

HIUPAN has lured victims into executing malicious files from USBs including the use of files such as USBconfig.exe.^[1][2]

^[1][2]