Fortaris has identified a high-risk attack campaign leveraging Flipper Zero BADUSB devices to deploy persistent Windows backdoors through automated keystroke injection.

This technique is being openly distributed across hacking forums and GitHub repositories, lowering the barrier for both insider threats and physical-access attacks. The campaign enables attackers to gain covert, long-term control of Windows systems without deploying traditional malware.

The result is a class of intrusion that bypasses antivirus, survives password changes, and remains active even after conventional remediation.

Automated Physical Access Attacks

The Flipper Zero is a consumer-grade hacking device capable of emulating a USB keyboard. When connected to a Windows system, it can execute thousands of keystrokes per second, allowing it to automate complex attack sequences in under a minute.

The malicious script detected by Fortaris performs the following actions:

It launches an elevated Command Prompt
It bypasses or auto-accepts UAC prompts
It replaces the Windows Sticky Keys binary (sethc.exe) with cmd.exe
It creates a hidden local administrator account

Once deployed, pressing Shift five times at the Windows login screen opens a SYSTEM-level command prompt, granting attackers full control of the machine before any user authentication occurs.

This creates a permanent backdoor that remains active across reboots, credential changes and malware removal.

Stealth Persistence Without Malware

Unlike traditional intrusions, this technique does not rely on installing trojans, exploits or malicious services.

It abuses legitimate Windows accessibility features and system binaries, meaning:

No malicious process needs to run
No exploit is required
No payload is written to disk
No antivirus signature is triggered

From a defender’s perspective, the system appears normal — yet it has been structurally compromised.

This represents a class of living-off-the-OS persistence, where attackers weaponise built-in functionality rather than deploying obvious malware.

Why This Attack Is Dangerous

This campaign turns brief physical access into full, permanent system compromise.

A laptop left unattended in an office, hotel, airport or conference can be compromised in seconds. A malicious insider, contractor or visitor can implant a backdoor that provides long-term administrative access without needing to return.

Once deployed, attackers can:

Access the system remotely
Create additional users
Disable security tools
Extract data
Move laterally across networks

All while bypassing standard detection controls.

Why Fortaris Flagged This

Fortaris classified this campaign as critical because it combines:

Open distribution of working attack scripts
A consumer-grade delivery device
Low technical skill requirements
High-impact system compromise
Persistent, stealthy access

This is not a theoretical vulnerability — it is a weaponised, deployable attack already circulating in the wild.

It reflects a broader shift toward hardware-assisted, automation-driven intrusions that bypass traditional cyber defences.

Defensive and Governance Implications

Organisations must treat physical access as a cyber threat vector.

In environments handling sensitive data, AI systems, or regulated infrastructure, this class of attack creates serious governance risk. A compromised endpoint may continue operating inside trusted networks without any visible sign of breach.

Security teams should prioritise:

Blocking unauthorised USB HID devices
Monitoring Windows accessibility binaries
Auditing hidden administrator accounts
Hardening physical endpoint access

Without these controls, organisations remain exposed to attacks that never trigger conventional alerts.

Final Thought

This detection highlights how modern attacks no longer rely on exploits — they rely on automation, accessibility and physical access.

The most dangerous intrusions today are not loud. They are fast, silent and structurally embedded.

That is the threat environment Fortaris is built to expose.