Skip to content

Hide Navigation Hide TOC

HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba)

HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024. (Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 1
HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 1
Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b) Attack Pattern HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware 1
HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern HIUPAN - S1230 (da43312a-0188-4949-bab3-0df9a5df0aba) Malware 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2