A new malware called LOBSHOT is being distributed through Google Ads by impersonating a legitimate remote management software, AnyDesk.

The malware, analyzed by cybersecurity experts from Elastic Security Labs. is a remote access trojan that allows threat actors to take over infected Windows devices using hVNC, a modified VNC remote access software that controls a hidden desktop on the infected device.


Once executed, the malware checks for Microsoft Defender and terminates execution if detected. If not, it configures Registry entries to start automatically when logging in to Windows and transmits system information from the infected device, including running processes.


The malware also checks for cryptocurrency wallet extensions and includes an hVNC module that allows the threat actors to control the hidden desktop remotely. This type of access could lead to ransomware attacks, data extortion, and other attacks, particularly in business environments where AnyDesk is commonly used.

Indicators of Compromise