UNC53 (aka TEMP HEX) is a sophisticated state-sponsored Chinese actor which Mandiant has tracked since 2014 and has targeted over 180 organizations across 11 different industries. This presentation details the latest campaign using frontline intrusion data observed over the last 6 months, where this threat actor utilized USB infections to broadly deliver SOGU malware and infect victims in unexpected locations, such as airport cafes and printing service shops. We’ll dive into the unique delivery methods, post-exploitation activity, and the SOGU backdoor and the accompanying malware used. We’ll also discuss the resurgence of USB as an initial infection vector and challenges associated with tracking USB-based campaigns. Finally, we’ll share successful techniques employed by Mandiant to detect and stop this activity, as well as broader detection and mitigation strategies.