{
  "family": "vobfus",
  "sample_count": 1484,
  "category": "worm",
  "description": "Vobfus is a worm family that spreads through removable drives by creating LNK shortcut files that execute the worm when clicked. It downloads additional payloads, typically info-stealers and banking trojans, and modifies registry settings to hide files and disable security tools. Vobfus is a common finding in environments with weak USB controls.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "beebone",
    "changeup"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Vobfus?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Vobfus is a worm family that spreads through removable drives by creating LNK shortcut files that execute the worm when clicked. It downloads additional payloads, typically info-stealers and banking trojans, and modifies registry settings to hide files and disable security tools. Vobfus is a common finding in environments with weak USB controls."
      }
    },
    {
      "@type": "Question",
      "name": "How does Vobfus spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Vobfus (Beebone) spreads through infected removable drives using autorun.inf and downloads additional malware as a loader."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Vobfus infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Hidden folders on USB drives replaced by shortcut LNK files, autorun.inf creation on removable media, and AV detections for Vobfus, Beebone, or Changeup indicate infection."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Vobfus on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1091",
    "T1547.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}