SvchostVNCInjector

ReflectiveLoader export + x64 DLL injecting svchost.exe with VNC module (Vnc_MT). It is run through the MapDLL export function. svchost.exe is found with CreateToolhelp32Snapshot, and the DLL is loaded into memory with CreateFileMappingW + MapViewOfFile. Cobalt Strike resembles BOF architecture. Implant providing remote desktop access (VNC).

Threat Profile
Type RAT
Programming LanguageC/C++
C2 Protocolcustom
First Seen2024
Targets Kurumsal
Purpose / Capabilities
  • Remote Desktop/Process Injection/VNC
No C2 servers have been identified for this family yet.

Research Reports (1)

Critical

SvchostVNCInjector 16278643 -- ReflectiveLoader MapDLL VncMT svchost-inject CreateToolhelp32Snapshot Process32FirstW CreateFileMappingW MapViewOfFile IsWow64Process | Kritik

SvchostVNCInjector out.dll 439KB. Export: SvchostInjector.x64.dll::MapDLL. ReflectiveLoader. Vnc_MT. CreateToolhelp32Snapshot svchost.exe. MapViewOfFile. Cobalt Strike BOF benzeri.

Read Report →