In their recent Threat Analysis Report, Cybereason’s Security Research Team explores the security implications, vulnerabilities, and potential mitigation strategies surrounding Hidden VNC (hVNC) and Hidden RDP (hRDP), as well as showcasing examples of current usage by malware authors to shed light on the evolving landscape of virtualized infrastructure security.


  • Stealthy Operations: hVNC and hRDP allow attackers to maintain persistent, undetected access to systems under their control by creating invisible desktop sessions or modifying RDP services, challenging traditional detection methods.
  • Sophistication and Resourcefulness: Employed by advanced threat actors, these techniques demonstrate a high level of sophistication, leveraging legitimate system functionalities for malicious purposes, thus complicating the differentiation between benign and malicious activities.
  • Versatile Malicious Use: Beyond persistence, hVNC and hRDP are utilized for data exfiltration, deploying additional malware, and facilitating ransomware attacks, showcasing their versatility in cybercriminal operations.
  • Detection and Mitigation Challenges: The covert nature of these techniques eludes standard security defenses, necessitating advanced solutions like behavioral analytics and endpoint detection and response (EDR) systems capable of identifying anomalous activities associated with hidden sessions.
  • Accessibility in the Cybercrime Ecosystem: The availability of hVNC and hRDP capabilities on dark web marketplaces indicates a demand among cybercriminals, lowering the entry barrier for attackers without the technical expertise to develop these methods independently.


Virtual Network Computing (VNC) is a protocol that facilitates remote desktop sharing and control, essentially allowing users to interact with distant computers as if they were sitting in front of them. 

It operates on a server/client model where the VNC server runs on the computer being accessed remotely, and the VNC client, or viewer, runs on the computer from which the user wants to control the remote machine. Leveraging the Remote FrameBuffer (RFB) protocol, VNC transmits the keyboard and mouse inputs from the client to the server, while the server sends back the graphical screen updates, enabling real-time remote interaction.

This technology supports a wide range of applications including remote administration, providing technical support, and enabling collaborative work, thus empowering users with flexibility and immediate access to information and software on remote systems.



Amidst the legitimate applications of VNC, however, lies its clandestine counterpart – hidden VNC (hVNC). This technique, exploited by cybercriminals, deploys malicious software embedded with a VNC server component, providing them with covert access and control over an infected system, 

The “hidden” aspect of hVNC refers to its ability to operate undetected, making it an formidable tool in the hands of malicious actors. The covert functionality it delivers paves the way for a wide array of nefarious activities, from unauthorized system access to the theft of sensitive data, significantly elevating the level of threat to the targeted system.

Read the whole report here.



If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more


Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

6 + 9 =