PSA: Attack Shark R85 HE (FREEWOLF US / Amazon) — BadUSB credential harvester, confirmed malware

News
Yanac

TL;DR: Bought an Attack Shark R85 HE from FREEWOLF US on Amazon. Plugged it in. It immediately ran a BadUSB credential-harvesting attack — opened login pages, ran PowerShell recon, targeted my password manager, and downloaded confirmed malware. Windows Defender detected two threats, both requiring manual removal. Two days of incident response. Amazon called it a defective return. It wasn’t defective. It was weaponized. Don’t buy this keyboard. Warning. This keyboard currently carries Amazon’s Choice status and is actively being sold. Product: Attack Shark R85 HE Wired 75% Hall Effect Mechanical Keyboard — Seller: FREEWOLF US — Fulfilled by Amazon What happened — June 1st, seconds after plugging in: Before any drivers, before any setup, before a single key was touched — the device started executing on its own. Immediately opened multiple browser tabs targeting Microsoft OneDrive, Teams, Microsoft 365, and LinkedIn login pages simultaneously Triggered a LastPass clipboard permission prompt — it identified LastPass was installed and went for the vault Executed Get-AppxPackage | Select Name via PowerShell to inventory every installed application on the system — confirmed in Windows Event Viewer PowerShell Operational log at 5:52 PM Used that software inventory to specifically target LastPass based on what it found Created folders on the Desktop and downloaded a malicious archive containing confirmed malware This is not a spray-and-pray script. It recons first, then targets what it finds. Windows Defender detections from files the device created: SoftwareBundler:Win32/Stallmonitz — High severity — Remove failed Trojan:Win32/Skeeyah.A!bit — Severe — Remove failed — Defender’s own label: “This program is dangerous and executes commands from an attacker” Both required manual deletion after Defender failed to auto-remove. Why it didn’t fully succeed: LastPass MFA blocked vault access. Microsoft and LinkedIn required authentication it couldn’t automate past. Aftermath: Two full days of incident response. System audit, credential rotation, account remediation across multiple services. Amazon classified it as a defective return. It was not defective. It functioned exactly as it was programmed to. If you own this keyboard: do not plug it in. If you already did: check your browser history, password manager activity logs, and Windows Event Viewer PowerShell Operational log. Run a full Defender scan immediately. Good luck out there yall. submitted by /u/RefrigeratorLegal868 [link] [comments]Technical Information Security Content & DiscussionRead More