![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
As cloud applications, SaaS platforms, and GenAI tools shape most modern workflows, one physical channel presents an ongoing risk: removable media. USB drives, external devices, and other portable storage remain some of the easiest ways for sensitive data to leave an organization and some of the quietest ways for threats to enter it.
Each time removable media connects to an endpoint, security teams face two distinct risks: data exfiltration if users copy sensitive information onto unmanaged devices, and malicious intrusion if harmful or unauthorized devices attempt to compromise the endpoint.
These risks persist because removable media allows employees and attackers to bring untrusted hardware into the environment, move data offline, evade network-based controls, and bypass digital defenses using a physical connection. Most security tools only address one side of the problem — either blocking malware on removable media or preventing data egress — leaving a significant and persistent gap that both insiders and adversaries continue to exploit.
How Adversaries and Insiders Drive Risk
Adversaries are taking advantage. Reporting shows threat actors weaponizing removable media, including late 2025 campaigns where infected USB drives automatically executed hidden files and dropped CoinMiner malware as soon as they were connected.1 These attacks deployed additional tools such as Hworm, Brute Ratel components, and AsyncRAT to establish persistence and remote control, demonstrating how a seemingly simple device can deliver a multi-stage intrusion and bypass traditional defenses.
Insider activity presents an equally serious challenge. Recent cases across technology and defense show employees continuing to rely on USB drives and personal storage devices to steal sensitive data as they exit an organization. In a high-profile case reported in 2025, a Silicon Valley-area defense engineer admitted to transferring more than 3,600 proprietary files related to missile detection and advanced sensor technologies to personal storage devices while employed at a U.S. defense contractor.2 The data was taken shortly before the individual left for another company, underscoring how removable media remains a fast, offline, and difficult-to-monitor exfiltration path for insiders seeking to bypass network-based controls and move sensitive data outside the enterprise.
A Closer Look: MUSTANG PANDA’s USBFect Campaigns
Between 2023 and 2025, CrowdStrike Intelligence exposed a series of evolving USB-borne campaigns conducted by China-nexus adversary MUSTANG PANDA. At the center of these operations was USBFect, a custom USB worm engineered to silently propagate across removable drives and launch adversary payloads including either Claimloader or ColorDrama to execute LingerRAT shellcode. USBFect relies heavily on social engineering: It presents victims with what appears to be a single benign file displaying a USB icon. The moment a user clicks, the worm executes, hides its components, establishes persistence via registry manipulation, and automatically spreads to any newly connected USB drive.
Across three campaigns — two in 2023 and a more sophisticated wave in late 2024 — MUSTANG PANDA refined USBFect to support different loaders and shifting target geographies. The early operations primarily impacted entities in the Philippines, while the December 2024 campaign broadened targeting to Taiwan and replaced Claimloader with ColorDrama, signaling a clear evolution in the adversary’s tradecraft. In 2025, the CrowdStrike Falcon® Adversary OverWatch™ and CrowdStrike Falcon® Complete Next-Gen MDR teams observed USBFect affecting organizations in North America, confirming it remains active in real-world intrusions and continues to propagate beyond intended geographic boundaries due to the uncontrolled nature of USB-based attacks.3
These attacks exemplify why USB-borne malware remains a powerful and often underestimated attack vector. A single unmanaged or unmonitored removable drive can bypass perimeter defenses, introduce stealthy malware, and create a durable foothold for hands-on-keyboard activity.
Defend Against Threats Hidden in Removable Media
CrowdStrike addresses this threat with CrowdStrike Falcon® Data Protection and CrowdStrike Falcon® Device Control. Together, they deliver real-time protection on both sides of the removable media connection so sensitive data cannot be quietly exfiltrated, and untrusted devices cannot introduce risk.
Stop Data Going Out
Falcon Data Protection provides continuous insight into how sensitive data is handled on the endpoint and immediate enforcement when that data is moved to removable media. With this, connecting removable media does not grant someone the ability to remove sensitive data without oversight and control.
Real-time classification and enforcement: Falcon Data Protection identifies sensitive information such as personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, and custom patterns the moment it is accessed or moved. Policies are applied immediately without manual labeling or complex rule creation.
Detection of disguised or transformed data: Employees or attackers may try to evade controls by renaming files, changing formats, or copying and pasting content before transferring it to a USB drive. Falcon Data Protection uses similarity detection to trace modified data back to its original source, revealing attempts that traditional tools miss.
Visibility into encrypted archives: Attackers often package data into encrypted files before moving it to removable media. Falcon Data Protection provides visibility into encrypted archives in real time, exposing sensitive content before it leaves the device and accelerating investigations.
Behavior-based detections: Machine learning models surface unusual or high-risk user behavior, such as large file movements, first-time access to sensitive data types, and activity occurring outside normal patterns. These insights help teams detect insider risk early.
Stop Threats Coming In
While Falcon Data Protection prevents sensitive data from leaving, Falcon Device Control prevents unauthorized or malicious devices from being introduced into the environment.
Precise device access: Security teams can allow, restrict, or block removable media based on device attributes, organizational policy, and business need.
Protection against untrusted and malicious devices: Threat actors frequently rely on rogue USB drives or manipulated firmware to deliver malware or compromise systems. Falcon Device Control blocks these devices from interacting with endpoints before harmful activity occurs.
Safe enablement of legitimate workflows: Falcon Device Control provides flexible options such as read-only access or conditional permission. This supports productivity while maintaining strong governance.
Together, Falcon Data Protection and Falcon Device Control provide a comprehensive approach to protect against data loss and device-based threats. While they are separate modules with distinct capabilities, they are both delivered from the CrowdStrike Falcon platform and run on the same lightweight Falcon sensor that customers already deploy for endpoint security. This shared architecture eliminates the need for additional sensors or consoles and ensures consistent performance across both data protection and device governance.
This unified sensor model delivers key benefits:
- Faster rollout with no new sensors to install or maintain
- Lower operational overhead and simplified management
- Immediate value for Falcon platform customers who can activate both modules through their current sensor footprint
By operating through one sensor and one platform, CrowdStrike provides a scalable and efficient foundation for securing all removable media activity.
Closing a Persistent Gap in Removable Media Security
As organizations advance their SaaS, cloud, and GenAI security strategies, removable media often remains an overlooked channel for data loss and endpoint compromise. Physical devices such as USB drives and other portable devices continue to introduce real risk.
Falcon Data Protection and Falcon Device Control provide comprehensive protection for removable media. Sensitive data is protected before it can be copied to portable storage, and untrusted devices are controlled before they interact with an endpoint. This creates a modern, integrated layer of defense that reflects how work happens today.
See Them in Action
See how CrowdStrike helps identify attempted data exfiltration and block untrusted devices the moment removable media connects. Start a free trial to experience Falcon Device Control and schedule a demo to see Falcon Data Protection in action.
Additional Resources
- Visit the Falcon Data Protection webpage to learn how CrowdStrike is redefining the data protection market.
- Visit the Falcon Device Control webpage to explore how CrowdStrike helps you control and secure the use of USB devices and other removable media across your environment.
- Sign up today to experience the benefits of Falcon Data Protection firsthand.
- Start a 15-day free trial here.
1 https://cybersecuritynews.com/threat-actors-deploying-coinminer-malware/
2 https://www.sfgate.com/bayarea/article/bay-area-nuclear-missile-secrets-china-20780760.php
3 CrowdStrike internal threat intelligence
