{"id":10601,"date":"2026-02-12T10:03:49","date_gmt":"2026-02-12T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/12\/44-evilmouse-autonomously-executes-commands-and-compromises-systems-once-connected\/"},"modified":"2026-02-12T10:03:49","modified_gmt":"2026-02-12T10:03:49","slug":"44-evilmouse-autonomously-executes-commands-and-compromises-systems-once-connected","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/12\/44-evilmouse-autonomously-executes-commands-and-compromises-systems-once-connected\/","title":{"rendered":"$44 Evilmouse Autonomously Executes Commands and Compromises Systems Once Connected"},"content":{"rendered":"<p>    $44 Evilmouse Autonomously Executes Commands and Compromises Systems Once Connected<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A $44 hardware implant disguised as an ordinary computer mouse. This device acts as a covert keystroke injector, akin to the Hak5 Rubber Ducky, but leverages the innocuous form factor of a mouse to bypass basic user awareness training.<\/p>\n<p>Plug it in, and it autonomously runs payloads that execute commands, deliver reverse shells, or worse, without arousing suspicion.<\/p>\n<p>Traditional USB drives trigger alarms post-training, but a functional mouse? It blends seamlessly into any workspace. Evilmouse preserves the <a href=\"https:\/\/cybersecuritynews.com\/mic-e-mouse-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">host mouse\u2019s optical sensor and buttons<\/a> via an integrated USB hub, ensuring cursor movement and clicks work normally.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgIXFk0dVaceupM72UFXS03piLRWrMAKzIfiUb-P-WTnRRVLAUST-oVSg4hiMdDBqGEjD-ejg6JHLZuCgvCn4ixR4OKbaQkdbIC8w0fWvbIRJTfo8rC2yc0OYp1lyURIGlh6n-IfmOAWipMhUFBirexm7utmNB4E0Ymfvh_0jrcQfxKfi_d5l4v_a4C0Nvd\/w640-h462\/evilmouse2.webp?ssl=1\" alt=\"Evilmouse\"><figcaption class=\"wp-element-caption\">Evilmouse<\/figcaption><\/figure>\n<\/div>\n<p>\u201cEveryone knows USB sticks are risky,\u201d NEWO-J notes in the project write-up. \u201cA mouse might not even register as a threat.\u201d<\/p>\n<p>The build repurposes cheap components for under $50:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Material<\/th>\n<th>Quantity<\/th>\n<th>Approx. Price<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RP2040 Zero microcontroller<\/td>\n<td>1<\/td>\n<td>$3<\/td>\n<\/tr>\n<tr>\n<td>Adafruit 2-Port USB Hub Breakout<\/td>\n<td>1<\/td>\n<td>$5<\/td>\n<\/tr>\n<tr>\n<td>Amazon Basics Mouse<\/td>\n<td>1<\/td>\n<td>$6<\/td>\n<\/tr>\n<tr>\n<td>USB-C Pigtail Cable<\/td>\n<td>1<\/td>\n<td>$3<\/td>\n<\/tr>\n<tr>\n<td>Rosin-core 60\/40 Solder<\/td>\n<td>1<\/td>\n<td>$8<\/td>\n<\/tr>\n<tr>\n<td>USB-C Data Cable<\/td>\n<td>1<\/td>\n<td>$8<\/td>\n<\/tr>\n<tr>\n<td>Flux Paste<\/td>\n<td>1<\/td>\n<td>$6<\/td>\n<\/tr>\n<tr>\n<td>Kapton Tape<\/td>\n<td>1<\/td>\n<td>$5<\/td>\n<\/tr>\n<tr>\n<td>Dupont Wires<\/td>\n<td>4<\/td>\n<td>~$0.03<\/td>\n<\/tr>\n<tr>\n<td><strong>Total<\/strong><\/td>\n<td><\/td>\n<td><strong>~$44<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>This undercuts a Rubber Ducky\u2019s $100 price tag, democratizing hardware implants for red teams or malicious actors.<\/p>\n<p>Housed in a $6 Amazon Basics mouse, the compact shell demanded modifications. Researchers must excise plastic ribbing with a multi-tool cutter and delicately desolder the stock PCB\u2019s white connector using a flathead screwdriver.<\/p>\n<p>The RP2040 Zero, flashed with CircuitPython firmware, handles exploitation. Incompatibility with pico-ducky prompted custom code: a Windows AV-safe reverse shell to a listener host.<\/p>\n<p>Soldering the USB hub, pigtail, and wires proved tricky\u2014NEWO-J practiced for a week on through-hole components. Kapton tape insulates against shorts, and precise wire routing allows the shell to snap shut while maintaining functionality.<\/p>\n<p><a href=\"https:\/\/github.com\/NEWO-J\/evilmouse\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Full code resides on GitHub<\/a>, with plans for DuckyScript compatibility. \u201cBuilt for education only,\u201d the repo warns, disclaiming malicious use.<\/p>\n<p>In a video demo, plugging Evilmouse into \u201cLaptop A\u201d yields an admin-level reverse shell on \u201cLaptop B\u201d within seconds. No user interaction required. Enhancements like hidden command prompts or scheduled tasks add persistence. Stealth tactics evade Windows Defender, though advanced bypasses remain future work.<\/p>\n<figure class=\"wp-block-video\"><video controls src=\"https:\/\/newo-j.github.io\/videos\/evilmouse_demo.mp4\"><\/video><\/figure>\n<p>Evilmouse underscores HID (Human Interface Device) attack vectors. Mice emulate trusted peripherals, exploiting USB\u2019s plug-and-play trust.<\/p>\n<p>Defenses include USB device whitelisting via Group Policy, <a href=\"https:\/\/cybersecuritynews.com\/best-siem-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">endpoint detection tools scanning<\/a> for anomalous keystrokes, and physical port restrictions. For pentesters, it offers a cheap alternative to commercial gear improve it with Rust for faster injection or remote triggers.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/evilmouse-compromises-systems\/\">$44 Evilmouse Autonomously Executes Commands and Compromises Systems Once Connected<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/evilmouse-compromises-systems\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>$44 Evilmouse Autonomously Executes Commands and Compromises Systems Once Connected A $44 hardware implant disguised as an ordinary computer mouse. This device acts as a covert keystroke injector, akin to the Hak5 Rubber Ducky, but leverages the innocuous form factor of a mouse to bypass basic user awareness training. Plug it in, and it autonomously [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-10601","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10601"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10601"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10601\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}