Hackers can now have concealed VNC access to Windows devices thanks to new LOBSHOT Malware. (10th M

Ref# AL2023_27 | Date: May 10th 2023


Cybersecurity researchers discovered a new malware dubbed LOBSHOT that is being spread via Google ads. By employing hVNC, this virus enables online thieves to control infected Windows computers. 

The hVNC is a kind of VNC remote access program that has been modified to work on a hidden desktop on an infected device rather than the owner”s primary desktop. This gives malicious actors unintentional access to full remote control of a Windows desktop. 


A feature of malware known as LOBSHOT dubbed hVNC (Hidden Virtual Network Computing) enables attackers to sneakily access a victim”s PC. The hVNC component is useful for getting around fraud detection tools. Additionally, LOBSHOT is used to commit financial crimes thanks to its information-stealing and banking trojan functionality. 

When LOBSHOT is run, it makes a copy of itself in the “C:ProgramData” directory, starts a fresh process using explorer.exe, ends the previous one, and then deletes the original file. The process tree lineage is concealed using this method, which also makes it harder for analysts to find it. 

The Registry run key persistence method is how LOBSHOT keeps itself persistent. LOBSHOT starts a new thread to enable its stealer feature after establishing its persistence mechanism. This method begins by focusing on cryptocurrency-related browser add-ons, such as wallet extensions for Chrome, Firefox, and Edge. 

 The hVNC module of LOBSHOT is another important feature of the malware. At this point, the infected computer starts sending screenshots of the hidden desktop to a client that is being monitored by the attacker. Using the client to control the keyboard, click buttons, and move the mouse, the attacker has total remote control of the device. 

The hVNC module in LOBSHOT gives the attacker access to a number of commands. The Start Menu can be activated, the Windows Run command can be used to start new Windows processes, Internet Explorer, Edge, and Firefox can be launched, existing explorer.exe processes can be stopped, Windows sound settings can be changed, clipboard text can be set or retrieved, and the Start Menu can be activated. 

This malware infection chain starts when a user searches the Internet for trustworthy software (like AnyDesk). The user clicks on one of the search results, but it turns out to be a Google Ad that takes them to a fake landing page for the software download. From this page, the user downloads and runs an MS installer, which starts PowerShell. 

The LOBSHOT virus is then downloaded by PowerShell and run via rundll32. Once LOBSHOT has been run, it starts its malicious operations, which include stealing confidential data and giving the attacker remote access via its hVNC module. 


It is crucial to avoid using untrusted programs and to only get software from reliable sources if you want to reduce this danger. Users should conduct extensive research on any program they intend to download and study reviews from reliable sources. To learn more about any software that may raise questions, it is also advised to visit anti-malware message forums. Ultimately, being cautious and refraining from downloading software from unauthorized sources is the best defense. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: Hackers can now have concealed VNC access to Windows devices thanks to new LOBSHOT Malware.pdf