Fake Slack Installer Hides Stealthy HVNC Malware, Enabling Invisible Remote Control of Victims’ Systems

CyberDefender 11 mins0

Cybercriminals are constantly refining their tactics, and a recent campaign involving a trojanized version of Slack highlights just how sophisticated these attacks have become. What appears to be a harmless software download can actually open the door to a deeply hidden and dangerous compromise—one that most users would never notice.

The Attack Vector: Trust Exploited

Slack is widely trusted and used across businesses globally. Attackers leverage this trust by creating typosquatted domains, such as “slacks[.]pro,” which mimic the official website. Unsuspecting users searching for Slack via search engines may land on these fake pages and initiate a download without verifying the URL.

Once clicked, the site triggers a download almost instantly. The file—named something like slack-4-49-81.exe—looks legitimate and even installs a working version of Slack. But behind the scenes, a parallel malicious process is initiated.

Fake Slack website, Source : Malwarebytes

Dual Execution: Legitimate App + Hidden Malware

This attack is particularly deceptive because it uses a dual-execution mechanism:

  • A real Slack installation runs using a legitimate framework (Squirrel installer), ensuring everything appears normal.
  • Simultaneously, a hidden executable (svc.tmp) launches in the background.

This loader connects to a remote command-and-control (C2) server and prepares the system for further exploitation. It disguises itself as a Windows service and avoids detection by dynamically resolving system APIs instead of statically importing them.

The first file, slack.tmp, acts as a decoy. It is a self-extracting installer built using Squirrel, a legitimate open-source update framework commonly used by Electron-based applications like Slack, Discord, and Microsoft Teams. This package includes a genuine Update.exe, a NuGet archive (slack-4.49.81-full.nupkg), a splash image (background.gif), and a release manifest. When executed, it extracts these components into %LOCALAPPDATA%\SquirrelTemp and runs Update.exe with the --install flag. From the user’s perspective, the installation proceeds normally—Slack launches, appears authentic, and functions as expected.

Shortly after, a second file named svc.tmp is created. This is the actual malicious loader, a ~519 KB executable hidden within the installer. Unlike the decoy, it is unsigned and falsely identifies itself in its metadata as “Windows Component Update Service” by Microsoft. It has no legitimate connection to Slack or the Squirrel framework. Once active, it writes a loader_log.txt file in the temp directory and attempts to establish communication with a command-and-control (C2) server at 94.232.46.16 over TCP port 8081.

Meanwhile, the legitimate-looking Slack installation completes and adds a registry Run key for persistence:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack.
This is identical to what a real Slack installation would create, making it unlikely to raise suspicion during routine checks.

Inside the Loader: Findings from Static Analysis

The loader binary is disguised with misleading metadata, claiming to be a Microsoft component (WinSvcUpd.exe, version 1.4.2.0). In reality, this information is fabricated to evade casual inspection.

Technically, it is a 64-bit Windows executable compiled with MSVC. Its internal structure is intentionally obfuscated: instead of standard section names like .text or .rdata, it uses randomized labels such as .7ssik, .d1npl, and .m6zef. Its import table is minimal, referencing only 90 functions from KERNEL32.dll. Critical functionality—networking, registry access, and process manipulation—is resolved dynamically at runtime using GetProcAddress and LoadLibraryExW, a common stealth technique.

Despite its obfuscation, the binary contains extensive debug strings that reveal its full design. These strings outline a multi-stage infection process:

  • Phase 1 (Loader Stage)
    The malware downloads an encrypted payload from its C2 server using WinHTTP. Debug messages like [HTTP] Connect, [HTTP] Send, and [HTTP] Recv trace this activity. The payload is stored in shared memory, and a second instance of the loader (Phase 2) is launched.
  • Phase 2 (Execution Stage)
    The second instance retrieves the payload from shared memory, decrypts it ([CRYPT] Decrypting...), and verifies it as a valid executable ([CRYPT] MZ OK). The decrypted DLL is then written to disk using a filename pattern like wmiprvse_*.tmp, mimicking legitimate Windows temporary files.
  • Payload Execution (HVNC)
    The loader calls an exported function named HvncRun from the DLL, confirming the payload is an HVNC (Hidden Virtual Network Computing) client. This type of malware creates an invisible desktop session, allowing attackers to interact with the system—such as accessing banking sites—without any visible activity on the user’s screen.
  • Injection Technique
    To execute the payload stealthily, the loader injects the DLL into explorer.exe using section-based injection. This involves creating a shared memory section (NtCreateSection), mapping it into both processes, and launching a remote thread (NtCreateThreadEx). This method is more covert than traditional injection techniques because it avoids direct memory writes. If these NT APIs are unavailable, the loader falls back to a simpler disk-based execution method.

Overall, this malware combines deception (a legitimate-looking installer), persistence (registry Run key), stealth (runtime API resolution and injection), and capability (HVNC remote control) into a highly effective attack chain.

Indicators of Compromise (IOCs)

Some key signs include:

  • Suspicious domains like slacks[.]pro
  • Unknown network activity to IP: 94.232.46.16:8081
  • Temporary files such as svc.tmp or loader_log.txt

How to Stay Protected

To avoid falling victim to such attacks:

  • Always download software from official websites
  • Double-check URLs for subtle misspellings
  • Avoid clicking on ads or unknown download links
  • Verify file signatures before installation
  • Use real-time antivirus and endpoint protection tools

If you suspect infection:

  • Disconnect from the internet immediately
  • Run a full system scan
  • Change all passwords from a clean device
  • Inform your organization’s IT team if applicable

Our Opinion on This Case

This campaign is a clear example of how modern cyber threats are no longer reliant on brute force or obvious malware. Instead, attackers are investing heavily in social engineering combined with technical sophistication.

What stands out is the strategic use of legitimacy—installing a real application alongside malware. This blurs the line between safe and unsafe behavior, making traditional awareness advice like “only install trusted software” less effective unless paired with URL verification and behavioral vigilance.

Another concerning aspect is the use of HVNC. This isn’t typical malware aimed at quick data theft; it’s designed for long-term, stealthy control, often associated with financial fraud and corporate espionage. The invisible desktop concept fundamentally changes how users perceive system compromise—because there are no visible symptoms.

In our view, this incident reinforces three key realities:

  1. User behavior remains the weakest link, especially during routine actions like downloading software.
  2. Attackers are prioritizing stealth over speed, aiming for persistence rather than immediate impact.
  3. Organizations must adopt layered security, including endpoint detection and zero-trust principles.

Ultimately, cybersecurity today is less about avoiding suspicious files and more about verifying everything—even what looks familiar.

CyberDefender