A lot of comments seem to ignore the possibility that the executor of the file on the USB stick wasn’t also part of the exploit chain. The EU has expelled a lot of diplomats and insiders in the last few years. Why wouldn’t a nation state combine a zero day with a physical asset that can execute it?