A new malware called LOBSHOT is being distributed through Google Ads by impersonating a legitimate remote management software, AnyDesk.

The malware, analyzed by cybersecurity experts from Elastic Security Labs. is a remote access trojan that allows threat actors to take over infected Windows devices using hVNC, a modified VNC remote access software that controls a hidden desktop on the infected device.

image

Once executed, the malware checks for Microsoft Defender and terminates execution if detected. If not, it configures Registry entries to start automatically when logging in to Windows and transmits system information from the infected device, including running processes.

image

The malware also checks for cryptocurrency wallet extensions and includes an hVNC module that allows the threat actors to control the hidden desktop remotely. This type of access could lead to ransomware attacks, data extortion, and other attacks, particularly in business environments where AnyDesk is commonly used.


Indicators of Compromise

IP/SHA
95.217.125.200
e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6