FBI warns of hackers mailing malicious USB sticks to businesses
The FIN7 cyber crime group is alleged to be behind the months-long wave of attacks against the defence, transportation, and insurance industries


The Federal Bureau of Investigation (FBI) has alerted US businesses to a rise in cyber attacks being committed via the US postal service, with hackers mailing malicious USB sticks to victims and deceiving them into installing malware on machines.
If the USB stick enclosed in the package sent to victims was plugged into a computer, it would lead to a BadUSB attack whereby the USB device would register itself as a keyboard and execute a number of pre-configured keystrokes on the victim's machine, according to the FBI.
These keystroke scripts would lead to PowerShell commands being executed and to the download and installation of a variety of malware strains that acted as backdoors to the victims' networks to launch future cyber attacks. Resources the attackers installed included vulnerability-scanning and pentest tools such as Metasploit and Cobalt Strike, as well as BlackMatter and REvil ransomware, among others.
Successful cases have been observed by the FBI in which attackers were able to gain administrator access to machines and then move laterally across the victim's network.
The FBI said the FIN7 hacking group is behind the waves of attacks on US industries since August 2021 - the same group behind the DarkSide and BlackMatter ransomware campaigns.
Most recently, FIN7 has been targeting the US defence industry since November 2021 but companies in the transportation and insurance sectors were receiving malicious packages as far back as August 2021.
RELATED RESOURCE
The secure cloud configuration imperative
The central role of cloud security posture management
The FBI also said the attackers were using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the LilyGO-branded USB sticks pre-loaded with malware, and seemingly came from reputable organisations such as Amazon and the US Department of Health and Human Services (HHS).
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defence industries," said the FBI in an alert, as reported by The Record. "The packages were sent using the United States Postal Service and United Parcel Service.
“There are two variations of packages - those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB."
An ancient attack method
The method of simply plugging in a malicious USB stick into a victim's machine dates back many years and has dubbed various different names in the infosec community during that time. The method may be otherwise known as Rubber Ducky attacks, PoisonTap, USBdriveby, USBharpoon, and BadUSB.
For years, the method has also been used by pentesters with a good degree of success, leveraging human curiosity to see what's on a USB drive they discover by chance. People will often plug a lost, unknown USB stick into their own machine before attempting to return it to its rightful owner - a habit cyber criminals have learned to use to their advantage.
"The use of tangible tools for infection - such as USB sticks, have been and continue to be ever effective, especially in today’s current climate," said Alan Calder, CEO at GRC International Group to IT Pro. "Working from home is now more widespread than a few years ago, and the likelihood of someone receiving a malicious USB stick and plugging it into a PC in an unsupervised setting is much greater.
"Cyber criminals are knowingly using this hybrid working shift to their advantage, which means the need for regular cyber security risk assessments to outline and mitigate these threats has never been greater."
The BadUSB project was first unveiled at Black Hat in 2014 by security researchers at SR Labs, Karsten Nohl and Jakob Lell. The pair showed how the attack method could be used to install malware, as well as steal data and spoof network cards.
RELATED RESOURCE
The definitive guide to migrating to the cloud
Migrate apps to the public cloud with multi-cloud infrastructure solutions
It has since inspired a number of related projects with one hacker applying the principles to a Mac-hacking iPhone lightning cable and dropping them around Def Con in 2019. The malicious iPhone cables allowed attackers to remotely execute commands on a victim's device and were sold for as little as $200 under the radar at the event.
It also isn't the first time FIN7 has made use of the postal system to deliver attacks. In a somewhat similar fashion, FIN7 instead impersonated Best Buy to mail packages with USB sticks to hospitality and retail businesses in March 2020.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
What is polymorphic malware?
Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the company
Opinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the US
News A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
News The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware group
News The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances