USB Rubber Ducky and DuckyScript 3.0: How Cross-Platform Keystroke Injection Attacks Work in 2026
With DuckyScript 3.0, USB Rubber Ducky attacks have taken a major leap forward. This new language allows malicious code to adapt dynamically, targeting Windows and Mac with precision while enhancing flexibility for hackers.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-01
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
In 2026, USB Rubber Duckies continue to evolve rapidly and cybersecurity threats from physical keystroke injection devices are expanding. DuckyScript 3.0, released alongside the latest generation of the Hak5 USB Rubber Ducky, has transformed the device from a single-platform script executor into a full cross-platform attack tool capable of intelligently adapting to Windows, macOS, and Linux environments. Physical access attacks using USB devices have increased in frequency as organizations focus their security investment on network and endpoint defenses while underestimating physical security risks. Penetration testers and red teams report that USB drop tests continue to achieve high success rates even in organizations with mature security awareness programs.
What Is a USB Rubber Ducky?
The USB Rubber Duckyis a malicious device disguised as a USB drive but actually acts as a keyboard emulator. Once plugged into a target computer, it can execute a series of predefined commands or scripts designed to perform a variety of malicious actions. Originally, the device had a significant limitation. It required carefully designed, OS specific attack commands, limiting its success rate. But with the release ofDuckyScript 3.0, this has changed dramatically.
Why DuckyScript 3.0 Matters
DuckyScript 3.0 represents a substantial upgrade from previous versions, turning the Rubber Ducky into a powerful programming tool for cyber attacks rather than a simple keyboard script executor. While DuckyScript 2.0 could execute sequential commands, the updated DuckyScript 3.0 allows for:
- Advanced flow control (with conditional checks and loops)
- Function definitions that let code run modularly
- Variable storage and use
- Device and OS based logic
These features enable hackers to target both Windows and macOS devices with conditional commands. A Rubber Ducky can now “think” before executing, deciding which attack script to run based on the detected operating system, checking for specific software versions, or even self terminating if connected to the wrong machine.
Real World Capabilities of the Updated Rubber Ducky
Let's look at how these features might play out in realistic attacks:
1. Credential Theft
With DuckyScript 3.0, a Rubber Ducky can check if it’s connected to a Windows machine. If confirmed, it can execute a credential harvesting script tailored for Windows. Alternatively, if it detects macOS, it can run a macOS specific script for password theft. This adaptability significantly increases the threat to cross platform environments.
2. Network and Browser Manipulation
Older Rubber Ducky scripts could, for example, make Chrome send saved passwords to an attacker’s server. Now, with conditional logic and variables, it could selectively target browsers and send phishing emails or network requests based on the detected OS or software environment.
3. Data Exfiltration and Remote Control
More advanced DuckyScript functionality allows hackers to establish backdoors or remote control options on targeted systems. A script might exfiltrate files, monitor network traffic, or redirect the victim’s DNS to an attacker’s server.
These capabilities turn the USB Rubber Ducky into more than a one time-use device. It’s now programmable, versatile, and ready to adapt on the fly, increasing the complexity of cybersecurity defenses required.
Understanding DuckyScript 3.0 and Its Features
Let’s look more closely at the updates in DuckyScript 3.0 that enable these advanced functions.
Enhanced Logic and Flow Control
DuckyScript 3.0 introduces if-else statements, loops, and other control flow features that let the script make decisions based on variables, user input, or machine conditions. For example:
IF OS Windows
RUN Windows-specific-commands
ELSE
RUN Mac-specific-commands
END
This allows for flexible scripting that can be deployed on any system, making it highly adaptable and resilient to a range of targets.
Functions and Variable Storage
With the ability to store variables and use functions, DuckyScript 3.0 resembles a basic programming language rather than a simple script executor. A Rubber Ducky can perform tasks based on stored data, giving it the ability to remember previous steps and avoid redundant commands. For instance, the script could check for a Wi-Fi network connection, store that information, and proceed with data exfiltration only if a network connection is verified.
Conditional Commands Based on System Environment
The new scripting language includes the ability to detect the target operating system and software version before deploying malicious actions. This conditional behavior allows for device specific attacks, minimizing detection risks and reducing reliance on hardcoded, single platform scripts.
The Future of USB Based Attacks with Rubber Ducky
As USB Rubber Ducky devices evolve, security professionals must stay vigilant, especially since physical access attacks are increasingly being combined with social engineering. In 2026, attackers have been documented staging USB drop attacks in conjunction with voice phishing (vishing) calls to IT helpdesks, where an attacker calls posing as a vendor while an accomplice plants a device. Multi-vector physical attacks of this type require organizations to train employees on physical security as rigorously as they train them on email phishing. USB devices found anywhere on premises should be treated as potential threats and handed to IT security without being connected.
Key Security Strategies to Combat USB Rubber Ducky Attacks
Understanding how attackers exploit USB devices is critical to defending against them. Here are some best practices for mitigating Rubber Ducky attacks:
1. Employee Awareness and Training
Security awareness training on the dangers of USB devices is essential. Employees must understand that plugging in unknown devices could potentially expose them to malicious scripts capable of credential theft or data exfiltration. Training programs, such as Keepnet Labs’ Security Awareness Training, can significantly reduce the success rate of these attacks.
2. Limit USB Port Access
Restrict USB port usage to only approved devices, which helps reduce the risk of USB based attacks. Policies that enforce USB access control or disable unused ports are simple yet effective strategies.
3. Use Phishing and USB Simulators
USB based attack simulators allow security teams to test their employees’ awareness and response to USB based threats. The Phishing Simulator is also a valuable tool for assessing how employees respond to real world attack simulations, including USB based exploits.
4. Implement Endpoint Detection and Response (EDR) Tools
Modern EDR tools can detect unusual USB device behavior, helping identify and stop attacks before they gain access to sensitive information. By monitoring for suspicious activity, these tools add an extra layer of defense against USB borne threats.
Final Thoughts
With DuckyScript 3.0, USB Rubber Ducky attacks are more flexible, adaptable, and dangerous than ever. In 2026, the threat has expanded beyond the classic Rubber Ducky to include O.MG cables that look like standard charging cables but contain full keystroke injection capability, and purpose-built devices marketed explicitly to red teams and attackers at increasingly accessible price points. The barrier to conducting a sophisticated physical access attack has never been lower. Organizations that rely solely on network security controls while neglecting physical security policies, USB restriction enforcement, and employee training on device handling are significantly exposed.
Editor's Note: This article was updated on June 1, 2026.
SHARE ON