{
	"id": "d77eddcb-40f8-452d-bd46-9459aa30bec8",
	"created_at": "2026-04-06T00:11:26.420831Z",
	"updated_at": "2026-04-10T03:22:39.371957Z",
	"deleted_at": null,
	"sha1_hash": "c9817517d4637b17733c7a32dd1a3aff9b37a652",
	"title": "Behind Closed Doors: The Rise of Hidden Malicious Remote Access",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1752857,
	"plain_text": "Behind Closed Doors: The Rise of Hidden Malicious Remote\r\nAccess\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-05 23:00:22 UTC\r\nCybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis\r\nreports investigate these threats and provide practical recommendations for protecting against them. \r\nIn this Threat Analysis Report, Cybereason’s Security Research Team explores the security implications,\r\nvulnerabilities, and potential mitigation strategies surrounding Hidden VNC (hVNC) and Hidden RDP (hRDP), as\r\nwell as showcasing examples of current usage by malware authors to shed light on the evolving landscape of\r\nvirtualized infrastructure security.\r\nKEY OBSERVATIONS\r\nStealthy Operations: hVNC and hRDP allow attackers to maintain persistent, undetected access to\r\nsystems under their control by creating invisible desktop sessions or modifying RDP services, challenging\r\ntraditional detection methods.\r\nSophistication and Resourcefulness: Employed by advanced threat actors, these techniques demonstrate\r\na high level of sophistication, leveraging legitimate system functionalities for malicious purposes, thus\r\ncomplicating the differentiation between benign and malicious activities.\r\nVersatile Malicious Use: Beyond persistence, hVNC and hRDP are utilized for data exfiltration, deploying\r\nadditional malware, and facilitating ransomware attacks, showcasing their versatility in cybercriminal\r\noperations.\r\nDetection and Mitigation Challenges: The covert nature of these techniques eludes standard security\r\ndefenses, necessitating advanced solutions like behavioral analytics and endpoint detection and response\r\n(EDR) systems capable of identifying anomalous activities associated with hidden sessions.\r\nAccessibility in the Cybercrime Ecosystem: The availability of hVNC and hRDP capabilities on dark\r\nweb marketplaces indicates a demand among cybercriminals, lowering the entry barrier for attackers\r\nwithout the technical expertise to develop these methods independently.\r\nWhat Is hVNC?\r\nFoundations of Remote Access - VNC\r\nVirtual Network Computing (VNC) is a protocol that facilitates remote desktop sharing and control, essentially\r\nallowing users to interact with distant computers as if they were sitting in front of them. \r\nIt operates on a server/client model where the VNC server runs on the computer being accessed remotely, and the\r\nVNC client, or viewer, runs on the computer from which the user wants to control the remote machine.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 1 of 20\n\nLeveraging the Remote FrameBuffer (RFB) protocol, VNC transmits the keyboard and mouse inputs from the\r\nclient to the server, while the server sends back the graphical screen updates, enabling real-time remote\r\ninteraction.\r\nThis technology supports a wide range of applications including remote administration, providing technical\r\nsupport, and enabling collaborative work, thus empowering users with flexibility and immediate access to\r\ninformation and software on remote systems.\r\nThe Stealthy World of hVNC\r\nAmidst the legitimate applications of VNC, however, lies its clandestine counterpart – hidden VNC (hVNC). This\r\ntechnique, exploited by cybercriminals, deploys malicious software embedded with a VNC server component,\r\nproviding them with covert access and control over an infected system, \r\nThe \"hidden\" aspect of hVNC refers to its ability to operate undetected, making it an formidable tool in the hands\r\nof malicious actors. The covert functionality it delivers paves the way for a wide array of nefarious activities, from\r\nunauthorized system access to the theft of sensitive data, significantly elevating the level of threat to the targeted\r\nsystem.\r\nUnder the Hood of hVNC\r\nExploring the mechanics of hVNC reveals that it utilizes the Microsoft Windows Desktop API to craft a hidden\r\ndesktop via the Windows feature CreateDesktop. \r\nThis concealed desktop remains invisible to users, complicating the challenge of uncovering its presence.\r\nMoreover, hVNC capabilities go beyond mere observation, actively emulating keyboard and mouse input,\r\nallowing cybercriminals to navigate compromised systems with precision.\r\nYet, employment of hVNC is far from trivial; it represents a step up in sophistication and technical acumen by\r\nmalware authors. The technology’s utilization requires not only an in-depth understanding of Microsoft Windows’\r\ncore functionality but also the ability to manipulate those features for malicious purposes.\r\nExample Of Win32 API Calls Included In Various RATs\r\nFor instance, adapting hVNC to support multiple desktops and replicate user inputs reflects a complex challenge\r\ndue to VNC's inherent limitations in supporting multiple desktop environments.\r\nMicrosoft's documentation notes that creating additional window stations and desktops is feasible via the\r\nCreateWindowStation and CreateDesktop functions. However, the ability to create these environments is bounded\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 2 of 20\n\nby the system's desktop heap capacity, pointing to the intricate nature of hVNC's deployment in circumventing\r\ntraditional remote desktop capabilities.\r\nWhat is hRDP | RDP Overview\r\nRemote Desktop Protocol (RDP), developed by Microsoft, enables users to remotely access and control a\r\ncomputer across a network, offering a way to interact with a distant system's desktop environment directly. Similar\r\nto Virtual Network Computing (VNC), RDP allows for full graphical control of a remote machine, facilitating\r\ntasks such as remote administration, technical support, and access to resources as if directly interacting with\r\nremote system. \r\nRDP Connection Prompt\r\nBoth protocols serve the essential function of bridging distances between users and systems, ensuring that\r\ninteractions are as intuitive and productive as if they were performed locally. While VNC is platform independent,\r\nRDP, with its proprietary design, specifically caters to Windows environments, providing a seamless and\r\nintegrated experience that supports a wide range of applications and tasks across remote connections.\r\nhRDP\r\nHidden Remote Desktop Protocol (hRDP) represents an illicit adaptation of Microsoft's RDP, engineered for\r\ncovert remote access and control over a compromised computer. Distinct from legitimate RDP use, hRDP\r\nfacilitates hidden operations, thereby enabling attackers to manipulate a victim's PC invisibly.\r\nThe technique typically involves manipulating Windows session management and desktop display settings,\r\nallowing hRDP sessions to run without displaying any activity on the compromised machine's monitor. Attackers\r\nusually accomplish this by reconfiguring the RDP service to listen on a non-standard port and establishing secret\r\nuser accounts for surreptitious access. Consequently, attackers can perform operations as if they were directly\r\ninteracting with the system, such as running commands, installing unauthorized software, or extracting data, all\r\nwithout alerting the user or being flagged by security systems.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 3 of 20\n\nMalware often paves the way for hRDP by installing the components needed for its operation, effectively\r\ntransforming the infected machine into a controlled node for surveillance, command execution, and the\r\ndissemination of further malicious payloads. The covert operation of hRDP makes it an insidious method for\r\npersisting stealthily on networks, facilitating espionage, data exfiltration, and serving as a foothold for broader\r\nattacks within the victim’s environment.\r\nANALYSIS\r\nThis section covers an overview of different Remote Access Tools (RAT) implementing hidden VNC/RDP\r\ncapabilities as discovered across multiple malware forums.\r\nRATs (Remote Access Trojans) are a type of malware designed to provide an attacker with control over a victim’s\r\ncomputer remotely. A RAT typically infiltrates a system through phishing emails, malicious downloads, or\r\nvulnerabilities in software. \r\nIn most contemporary RATs, malware authors are increasingly integrating hVNC and hRDP as optional features.\r\nThese techniques are, of course, favored by criminal actors for their effectiveness in maintaining persistent, stealth\r\naccess to compromised systems.\r\nXWorm User Interface Showing Inclusion Of hVNC \u0026 hRDP Features\r\nRAT Advertising In Malicious Forums\r\nMalware forums and dedicated Malware-as-a-Service (MaaS) websites represent the evolution of the landscape of\r\ncybercrime and the commercialization of malware tools. These platforms not only provide a marketplace but also\r\nact as a hub for the exchange of knowledge and tactics among cybercriminals. Among the wares advertised, RATs\r\nwith hVNC or hRDP are becoming more common.\r\nCybereason Security Research uncovered various websites promoting such malware and their hRDP/hVNC\r\nfeatures.\r\nVenom RAT\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 4 of 20\n\nA successor to Quasar RAT known for its wide array of malicious capabilities, Venom RAT is a multi-function\r\nmalware tool that supports keylogging, surveillance, file management, and remote command execution. Use of\r\nhVNC to remain hidden on infected machines is offered as a premium feature for purchase, and includes customer\r\nsupport.\r\nExample Of Venom RAT With hVNC Feature On Dedicated Website\r\nXWorm RAT\r\nXWorm RAT is another tool that has gained attention for its robust functionality and flexibility. With features\r\ndesigned for espionage, data theft, and system manipulation, XWorm RAT provides attackers with a\r\ncomprehensive toolkit for targeting Windows operating systems. \r\nIts encryption of communications between the client and server ensures that transactions remain secure and hidden\r\nfrom network monitoring tools. It now includes advanced hVNC features like copy/paste and file management\r\nand monitoring, enhancing the attacker's control over the compromised system. XWorm's capability to run hVNC\r\ndirectly in memory further obscures its presence.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 5 of 20\n\nExample Of XWorm RAT With hVNC \u0026 hRDP Features Offered On Malware Forums\r\nPandora hVNC\r\nPandora hVNC is a RAT that has been circulating in cybercrime forums since 2021 with an established reputation\r\nas a preferred tool among threat actors for covert system control. Similar to Venom RAT, it is marketed under the\r\nguise of a legitimate remote access software. However, Pandora hVNC features betray its malicious intent.\r\nIt employs reverse connection techniques to circumvent firewall restrictions and includes a lightweight TCP server\r\nfor efficient and encrypted remote command and control operations. This tool enables complete access and control\r\nover infected systems, including mouse and keyboard inputs, and can even navigate two-factor authentication in\r\ncertain scenarios. Additional features include browser profile cloning for data theft, process suspension,\r\nCMD/PowerShell access, crypter compatibility for code obfuscation, and stealth operations through memory-only\r\nstub injection, all contributing to its evasion of antivirus detection.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 6 of 20\n\nExample Of Pandora hVNC Feature In The Dedicated Website\r\nXeno RAT\r\nXeno RAT, designed for Windows operating systems, is notable for its integration of hVNC. Written in C# and\r\nadvertised as open-source, Xeno RAT distinguishes itself by providing hHVNC as a standard feature—uncommon\r\nin other RATs where it might be a premium addition. This allows for undetected remote desktop access, enabling\r\nattackers to execute actions on the victim's computer without their knowledge. \r\nAlongside hVNC, Xeno RAT boasts a comprehensive feature set aimed at surveillance and system manipulation,\r\nincluding live microphone access, a Socks5 reverse proxy for bypassing network restrictions, and regular updates\r\nenhancing its effectiveness and user experience. Its development from scratch signifies a tailored approach to\r\nremote access, emphasizing ease of use without compromising on power or versatility\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 7 of 20\n\nExamples Of Xeno RAT With hVNC \u0026 hRDP Features\r\nProlific Marketplace\r\nThe cybercrime ecosystem thrives via malware forums and dark web marketplaces acting as hubs for the trade of\r\nadvanced tools and services. Screen captures from these forums reveal listings for malware like hRDP-enhanced\r\ntools and Xeno RAT, illustrating the widespread availability and demand for such capabilities.\r\nExample Of Selling hRDP Access On Malware Forums\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 8 of 20\n\nMalware Seller Account On Malware Forums\r\nThe Cybereason Security Research Team was even able to discover a Cobalt Strike Beacon Object File (BOF)\r\nimplementation of a Hidden Desktop, signaling a continuous innovation and lowering the barrier for entry to\r\nwhat's possible in remote system manipulation and monitoring.\r\nCobalt Strike BOF Offering Hidden Desktop Features\r\nAs these platforms continue to facilitate the proliferation of advanced malware tools, the digital battleground\r\nbecomes increasingly complex, with hVNC and hRDP serving as critical components in the ever-expanding\r\ntoolkit of the modern cybercriminal.\r\nhVNC and hRDP Features Behavioral Analysis\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 9 of 20\n\nIn this chapter, the Cybereason research team detonated Xeno RAT and XWorm RAT and observed the resulting\r\nbehaviors of using the hVNC and hRDP modules of the malwares. This analysis helps building new detections\r\nand understanding how these functionality work at operating-system level.\r\nXeno RAT Analysis (hVNC feature)\r\nWhen Xeno RAT is deployed on the victim host, as indicated in the screenshot below, we can observe that Google\r\nChrome opened on the attacker machine via hVNC is not visible on the victim machine.\r\nPowershell commands executed via hVNC from the attacker’s machine also remain invisible to the victim.\r\nCommand Line Used By RAT To Open Chrome Via hVNC\r\nIn the Xeno RAT lab tests, Process Explorer identified two explorer.exe processes on the victim's machine. One\r\nwas attributed to the attacker, concealed from the victim's desktop but visible on the attacker's hVNC desktop. \r\nCrucially, hVNC is compatible with major browsers, applications, and tools. In this case, Chrome and PowerShell\r\noperate as child processes to the attacker-controlled explorer.exe.\r\nXWorm RAT Analysis\r\nhVNC Feature (XWorm)\r\nSimilar to our previous testing but using XWorm RAT, we simulated an attacker opening a browser window\r\ncovertly on the compromised system.\r\nCommand Line Used By RAT To Open Chrome Via hVNC\r\nIn the XWorm graphical user interface, attackers have the option of deploying hVNC either in RunPE or in\r\nmemory. RunPE involves executing the hVNC process by injecting it into a legitimate running process executable\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 10 of 20\n\n(PE) on the disk, which can potentially leave traces or artifacts that might be detected by security solutions. \r\nThe alternative refers to running the hVNC process entirely in the system's RAM without writing any part of it to\r\nthe disk, making it more stealthy and harder for antivirus programs to detect.\r\nXWorm hVNC Menu Options\r\nIn this example, we identified that the attack leverages the legitimate process cvtres.exe to inject its code.\r\nInjection To The cvtres.exe Process\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 11 of 20\n\nDuring inspection, we observed that the injected cvtres.exe process has network connections to the remote server,\r\nwhich can be seen in the Process Tree.\r\nInjected cvtres.exe Running chrome.exe\r\nhVNC Module Opens Network Connection To Remote Server To  Send Victim's Unique GUID\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 12 of 20\n\nAttack Tree Showing Injected cvtres.exe Spawning chrome.exe \u0026 powershell.exe\r\nIn the Cybereason Defense Platform, the Attack Tree shows xclient52.exe (XWorm) spawning cvtres.exe,\r\nspawning powershell.exe and chrome.exe, invisible from the victim’s desktop.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 13 of 20\n\nAttack Tree For cvtres.exe\r\n In the Cybereason Defense Platform, the Attack Tree shows xclient52.exe (XWorm) spawning cvtres.exe,\r\nspawning powershell.exe and explorer.exe, invisible from the victim’s desktop.\r\nCommand Line Used By XWorm Malware To Open explorer.exe Via hVNC\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 14 of 20\n\nAttack Tree Showing Running hVNC In Memory (Without cvtres.exe Injection)\r\nhRDP Feature (XWorm)\r\nFinally, Cybereason analyzed the hRDP feature of XWorm, showing a successful hidden RDP connection, as\r\nshown below. \r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 15 of 20\n\nSuccessful hRDP Connection On The Attacker Side\r\nThe resulting process tree indicates an alternative user, HRDP4$, is the owner of the created Firefox process. The\r\nnew user is created in order to use a different remote connection session than the victim to avoid visual\r\nanomalies. \r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 16 of 20\n\nNew XWorm User HRDP4$ Opens firefox.exe Via hRDP\r\nCYBEREASON SECURITY RECOMMENDATIONS\r\nThe Cybereason Defense Platform can detect and prevent payloads observed in attacks related to RATs using\r\nhVNC/hRDP features. \r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 17 of 20\n\nCybereason Detection Of Known RATs\r\nAdditionally, the Cybereason Defense Platform can detect and prevent post-exploitation observed in attacks\r\nrelated to RAT using hVNC/hRDP features. In below example, rdpwrap.dll is used to support concurrent remote\r\ndesktops.\r\nCybereason Detection Of rdpwrap.dll Used In hRDP\r\nCybereason recommends the following actions:\r\nEnable Application Control to block the execution of malicious files.\r\nEnable Anti-Malware in your environment’s policies, set the Anti-Malware mode to Prevent/Disinfect.\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.\r\nEnable Variant File Prevention with prevent mode on Cybereason Behavioral execution prevention.\r\nEnable Fileless Protection with prevent mode on Cybereason Behavioral execution prevention.\r\nEnable Behavioral Execution Prevention with prevent mode on Cybereason Behavioral execution\r\nprevention.\r\nDetection\r\nThe following detection opportunities were identified by Cybereason: \r\nMultiple explorer.exe processes, browsers processes, cmd.exe, powershell.exe with additional Desktop\r\nhandles.\r\nBrowsers and other processes exist in the process tree but are invisible on the desktop.\r\nUnsigned, injected or unexpected parent processes in the process tree with browsers, cmd, Powershell, or\r\nother sensitive applications subprocesses, invisible on the desktop.\r\nEx: RAT client process XClient52.exe running injected Microsoft software component  of Microsoft\r\n.NET Framework cvtres.exe with child Chrome process while chrome browser is invisible on the\r\nvictim desktop but visible on the attacker desktop with option to copy victims chrome profile.\r\nUnexpected user with RDP access enabled in the users list.\r\nInternet browsers such as Chrome are running with suspicious command line parameters\r\nBelow are examples of  command lines generated by XWorm when launching hidden browsers\r\nusing the unusual flag -no-remote-profile for Firefox and –disable-gpu for Chrome.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 18 of 20\n\nBelow is an example of the XenoRATof XenoRAT command line generated by XWorm when launching\r\nhidden browsers using the unusual flag -no-remote-profile.\r\nABOUT THE RESEARCHER \r\nMark Tsipershtein, Security Researcher at Cybereason\r\nMark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis\r\nautomation and infrastructure. \r\nMark has more than 20 years of experience in SQA, automation, and security testing.\r\nCybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended\r\nDetection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit\r\nfrom an operation-centric approach to security.\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 19 of 20\n\nSource: https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nhttps://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access"
	],
	"report_names": [
		"behind-closed-doors-the-rise-of-hidden-malicious-remote-access"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775791359,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9817517d4637b17733c7a32dd1a3aff9b37a652.pdf",
		"text": "https://archive.orkl.eu/c9817517d4637b17733c7a32dd1a3aff9b37a652.txt",
		"img": "https://archive.orkl.eu/c9817517d4637b17733c7a32dd1a3aff9b37a652.jpg"
	}
}