LOTHardware LOTHardware / USB Nova

The USB Nova is an open-source BadUSB keystroke-injection tool from Spacehuhn Technologies, built on an RP2040, SAMD, or ESP32-class microcontroller. It masquerades as an ordinary USB device but acts as a Human Interface Device that types scripted payloads at machine speed, much like a Rubber Ducky. The firmware presents a composite HID and Mass Storage device, letting it inject keystrokes while also exposing storage. Its default USB identifiers are taken from the MCS Electronics shared pool, so they can be reassigned or spoofed in firmware.

USB Nova

Description

The USB Nova is an open-source BadUSB keystroke-injection tool from Spacehuhn Technologies, built on an RP2040, SAMD, or ESP32-class microcontroller. It masquerades as an ordinary USB device but acts as a Human Interface Device that types scripted payloads at machine speed, much like a Rubber Ducky. The firmware presents a composite HID and Mass Storage device, letting it inject keystrokes while also exposing storage. Its default USB identifiers are taken from the MCS Electronics shared pool, so they can be reassigned or spoofed in firmware.

Limitations

The VendorID and ProductID below are the firmware defaults confirmed in the SpacehuhnTech/USBNova source. They are software-assigned and can be spoofed, so treat them as detection indicators rather than guarantees. The USB Nova always runs from its application firmware, so unlike bootloader-based boards there is no separate programming-mode identity to track; the IDs seen at runtime are the IDs listed here.

Device Instance Path

?\VID_16D0&PID_11A4

VendorID

16D0

ProductID

11A4

Class

Composite (HID / Mass Storage)

Author

@enesilhaydin

Sigma Rules

title: USB Nova USB Device Connected
id: 460ce33f-6bc4-41fc-aa45-f4bde4bef264
status: experimental
description: Detects a USB Nova by its default USB VID/PID. These identifiers can be spoofed, so treat this as an indicator.
references:
    - https://lothardware.com.tr/usb-nova/
author: '@enesilhaydin'
date: 2026/06/22
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 6416
        DeviceId|contains: 'VID_16D0&PID_11A4'
    condition: selection
falsepositives:
    - Unrelated hardware sharing the same controller VID/PID
level: medium
tags:
    - attack.initial_access
    - attack.t1200

Requires Windows Audit PNP Activity (Security Event 6416).

1- https://usbnova.com/
2- https://github.com/SpacehuhnTech/USBNova