HVNC (Hidden VNC) is a remote-control malware/tool that creates a separate, invisible desktop session on a compromised Windows system, allowing an operator to interact with the host without the victim seeing the activity. The content explicitly describes it as a Hidden Virtual Network Computing client and notes that applications running in the hidden desktop are invisible to the user’s normal desktop. Reported use cases include covert remote administration, banking fraud, privilege escalation support, and credential theft operations.
The malware appears in multiple intrusion contexts. In Kimsuky operations, AppleSeed and PebbleDash backdoors were reported to install HVNC as a follow-on payload alongside tools such as Meterpreter, TightVNC, RDP Wrapper, UACMe, Mimikatz, Chrome credential theft components, keylogging, and proxy malware. In a separate phishing campaign assessed as run by a Vietnam-based cybercriminal actor, job-offer lures delivered PureRAT and sometimes HVNC via ZIP/RAR archives, DLL sideloading, batch scripts, Python loaders, hidden directories under %LOCALAPPDATA%\Google Chrome, and persistence via HKCU Run keys or scheduled tasks. In Catasia activity targeting Mexico, a third-stage payload named hvnc.exe was deployed after phishing emails impersonating major organizations; that campaign focused on redirecting Banco Santander users to phishing pages and stealing banking and email credentials.
The content also links HVNC to recent Cloudflare Quick Tunnel-delivered malware campaigns. Breakglass Intelligence identified Python-based payloads labeled Hv / Hvvvv... as likely HVNC clients, including strings such as "[LOAD] Calling HvncRun..." and "--- HvncClient log ---". These payloads were bundled with Python 3.12 runtimes in roughly 33 MB ZIP archives, obfuscated with a custom "Kramer" framework, and delivered through multi-stage WSF/BAT/ZIP chains targeting German-speaking and UK victims. One report characterizes the Hv payload as a Hidden VNC variant associated with banking fraud use cases. Related artifacts mentioned include DLL names such as klnaicHvvv.dll and payload filenames such as 1Apr02_Hvvvvvvvvvvvv-obf.py.
Another campaign used a trojanized Slack installer distributed via the typosquatted domain slacks[.]pro, redirecting to debtclean-ua[.]sbs. In that case, the installer dropped a legitimate Slack package and a malicious loader in parallel. The loader contacted 94.232.46.16:8081, downloaded and decrypted a second-stage DLL, wrote it to disk with a wmiprvse_*.tmp naming pattern, and was designed to invoke an exported function named HvncRun. The loader used dynamic API resolution, anti-analysis checks, and section-based injection into explorer.exe via NtCreateSection and NtCreateThreadEx, with a fallback DropAndLoad method if required NT APIs were unavailable. Reported hashes from that campaign were cfd2e466ea5ac50f9d9267f3535a68a23e4ff62e3fe3e20a30ec52024553c564 for slack-4-49-81.exe and 08fd0a82cdeb0a963b7416cf57446564dfed5de5c6f66dee94b36d28bfefec9d for svc.tmp.
Overall, the content consistently describes HVNC as Windows-focused hidden remote-control malware used as a secondary payload by both espionage and cybercrime actors, commonly delivered after phishing or downloader stages and valued for enabling attacker interaction that remains invisible to the victim.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The attacker can use backdoor to install another remote control malware such as Meterpreter and HVNC, or various other types of malware for privilege escalation and account credential theft.
21 distinct techniques documented for this family, organized by ATT&CK tactic.
“In some cases, a scheduled task is created, with various names, such as 123456.exe.”
“These DLLs usually act as loaders for malicious batch scripts… @echo off… reg add… start …”
Execution Command and Scripting Interpreter: Python T1059.006 Obfuscated Python payloads
The strings [INJ] === Section-based injection into explorer.exe === and [INJ] Remote thread created in explorer.exe! describe a sequence in which the loader creates a shared memory section via NtCreateSection ... and starts a remote thread via NtCreateThreadEx.
“If the ZIP archives are opened, they initiate an infection chain leading to the installation of PureRAT or another payload such as a HVNC.”
“The archives usually contain an executable, which is then used to sideload a malicious DLL… Haihaisoft PDF Reader or an old version of Microsoft Excel… renamed version of the Foxit PDF reader for sideloading… malicious DLLs included: oledlg.dll, msimg32.dll, version.dll, and profapi.dll.”
Defense Evasion Obfuscated Files or Information T1027 Kramer Python obfuscator, .pyc as .py
“phishing emails… masquerading as job offers… attackers renamed the executable to masquerade as something else… adobereader.exe… Salary and Benefits.exe… After the persistence mechanism… masquerading as ChromeUpdate.”
To run the HVNC payload covertly, the loader is equipped to inject the DLL into explorer.exe using a technique known as section-based injection.
“Tạo tiến trình InstallUtil.exe ngầm (ẩn cửa sổ) … target_path = …\InstallUtil.exe”
MITRE ATT&CK Mapping ... Execution Regsvr32 T1218.010 DLL registration via regsvr32 /s
Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process. All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session, will be invisible to other desktops windows.
“creates a hidden directory under %LOCALAPPDATA%\Google Chrome… attrib +h +s”
In addition, Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process. All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session, will be invisible to other desktops windows.
Operators can use HVNC to control a hidden browser session, run a keylogger, take screenshots, and manage files remotely.
Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process. All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session, will be invisible to other desktops windows.
“The archives usually contain an executable, which is then used to sideload a malicious DLL… Haihaisoft PDF Reader or an old version of Microsoft Excel… renamed version of the Foxit PDF reader for sideloading… malicious DLLs included: oledlg.dll, msimg32.dll, version.dll, and profapi.dll.”
30 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Hidden Virtual Network Computing payload that creates an invisible desktop session, allowing attackers to browse, access accounts, and interact with authenticated sessions without anything appearing on the victim’s visible screen. The article notes it is primarily associated with financial fraud operations.
A suspected HVNC payload identified from the DLL naming convention in the March 26 campaign, likely intended to provide hidden remote desktop capability.
Hidden VNC remote access payload delivered in multiple obfuscated Python variants and also referenced in historical DLL form.
A Hidden VNC remote access payload used in the campaign, apparently aimed at banking fraud activity.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.