USB drives carrying China-linked malware have infected Japanese military networks for nearly a year

Leaked internal documents have revealed that for over a year Japan’s Ground Self-Defense Force (JGSDF) has been using fake USB flash drives infected with malware on computers connected to sensitive military networks. USB drives have been linked to Chinese hacking activities, according to an investigation Nikkei Asia.
Nikkei Asia reports that toxic flares were delivered to the JGSDF in March 2024, during disaster relief operations after the earthquake in central Japan. Through this route they were able to enter the military without going through the usual shopping channels.
The malware was discovered in February 2025, after staff at the JGSDF’s Middle Army headquarters in Itami, near Osaka, noticed a computer running unusually slow. A subsequent investigation found that six of the eight USB drives tested contained the same malicious code.
The infected USB drives were attached to more than 50 computers, nearly half of which were systems used to handle classified data, including information about troop movements.
Investigators matched the malware to a type written by an unnamed US cybersecurity firm, which it linked to a Chinese hacking group. It is not a malware family or hacker group that has been publicly named in the reports.
Japan’s Defense Ministry downplayed the threat, with a spokesperson saying:
“Malware was the first type of legacy that was limited to its own replication and did not release information or external communications.”
Adding to the confusion, i Epoch times reports that a spokesperson for the Ishikawa Prefectural Government – which was alleged in leaked internal documents to have provided USB drives to the JGSDF during the 2024 earthquake relief effort – said “we could not confirm any record of purchasing USB drives or paying for their purchase.”
Since neither the state nor the military can produce a paper trail, the origin of the fake drives remains a mystery, raising more questions about how easily damaged hardware can get into critical areas where normal procedures are bypassed during an emergency.
Nikkei Asia says the threat posed by infected drivers extends beyond the JGSDF. USB flash drives preloaded with the same malware have been sold on all major online marketplaces, and infections have been observed in factories and research centers across many industries in Japan. The fake drives, which are priced 30 to 50 percent less than the authentic products, are traced to merchant accounts in China.
In accordance with Nikkei Asia, The JGSDF has not disclosed the infection within its network, despite fake drives still widely available for purchase online. The Department of Defense says it continues to investigate the circumstances surrounding the discovery of the drives and intends to enforce mandatory anti-virus protection.
Regular readers of Hot for Security will be well aware of the threat posed by infected USB drives, where malware can hide until a user inserts it into their computer.
Organizations obviously need to check that they only buy storage equipment from verified and trusted vendors, and treat suspiciously low-priced products with caution.
In addition, it would be wise to scan removable media on a dedicated standalone system before connecting it to any corporate network. Additionally, computers should have any autorun or autoplay function to prevent malicious code on the USB drive from running automatically when attached.



