Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A malicious installer disguised as Slack is being distributed through typosquatting domains to deceive unsuspecting users. Once executed, it installs a legitimate Slack application alongside a covert loader that connects to a command-and-control server, retrieves an encrypted HVNC payload, and injects it into explorer.exe. The malware then creates an invisible desktop session that lets attackers browse, interact, and perform actions on the compromised machine without the victim noticing. This approach is particularly dangerous in environments where the Slack brand is widely trusted by both individuals and corporate users.
Investigation
Researchers unpacked the installer and discovered two temporary files: slack.tmp, which contained a legitimate Squirrel update package, and svc.tmp, which served as the malicious loader. Analysis showed that the loader established persistence through a Run registry key, resolved Windows APIs dynamically at runtime, downloaded an encrypted DLL, saved it as wmiprvse_*.tmp, and used section-based injection to load it into explorer.exe. Investigators also observed outbound communication with a command-and-control server over TCP port 8081. Additional anti-analysis logic was present, including debugger detection and sandbox timing checks.
Mitigation
Users should download Slack only from the official slack.com website or trusted saved links and verify digital signatures before running any installer. Organizations should enable real-time protection capable of blocking known malicious domains and suspicious executables. Defenders should also monitor for unexpected outbound traffic over port 8081, unfamiliar Run registry entries, and abnormal child processes associated with trusted applications. Behavior-based detections can help identify hidden desktop sessions and HVNC-related activity before attackers gain full interactive access.
Response
If this activity is detected, isolate the affected endpoint from the network immediately, terminate the malicious loader and any HVNC-related processes, and remove the persistence mechanism from the Run registry key. A full malware scan should be performed, and all related malicious domains and IP addresses should be blocked across the environment. Any credentials used on the compromised machine should be reset from a clean device, and the security team should collect forensic artifacts to support further investigation and scoping.
"graph TB %% Class Definitions Section classDef technique fill:#ffcc99 %% Technique nodes color classDef artifact fill:#c2f0c2 %% Artifact nodes color classDef process fill:#f9d5e5 %% Process nodes color classDef tool fill:#d9d9d9 %% Tool nodes color classDef malware fill:#ffd699 %% Malware nodes color %% Artifact Nodes site_typosquat["<b>Artifact</b> – Typosquatted site<br/>URL: slacks.pro or debtclean-ua.sbs"] class site_typosquat artifact download_exe["<b>Artifact</b> – slacku20114u201149u201181.exe<br/>Malicious executable delivered from the typosquatted site"] class download_exe artifact run_registry["<b>Artifact</b> – Registry Run key<br/>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\com.squirrel.slack.slack"] class run_registry artifact hvnc_dll["<b>Artifact</b> – Encrypted HVNC DLL stored in a custom PE section"] class hvnc_dll artifact c2_server["<b>Artifact</b> – Command and Control server<br/>Port 8081 accessed via WinHTTP"] class c2_server artifact %% Process Nodes explorer_proc["<b>Process</b> – explorer.exe (Windows shell)"] class explorer_proc process %% Tool / Malware Nodes loader["<b>Malware</b> – Loader component responsible for decryption, C2 communication and injection"] class loader malware mavinject["<b>Tool</b> – Mavinject (System Binary Proxy Execution)"] class mavinject tool %% Technique Nodes initial_access["<b>Technique</b> – <b>T1204.001 User Execution: Malicious Link</b><br/><b>Description</b>: Victim clicks a link that leads to a malicious site which autou2011downloads malware"] class initial_access technique execution_file["<b>Technique</b> – <b>T1204.002 User Execution: Malicious File</b><br/><b>Description</b>: Victim runs the downloaded executable"] class execution_file technique persistence_active_setup["<b>Technique</b> – <b>T1547.014 Boot or Logon Autostart Execution: Active Setup</b><br/><b>Description</b>: Installer creates a Run registry entry to achieve persistence"] class persistence_active_setup technique obfuscation["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Loader encrypts payload, pads binary, uses custom PE section and resolves APIs at runtime"] class obfuscation technique embedded_payload["<b>Subu2011technique</b> – <b>T1027.009 Embedded Payload</b>"] class embedded_payload technique binary_padding["<b>Subu2011technique</b> – <b>T1027.001 Binary Padding</b>"] class binary_padding technique compile_after_delivery["<b>Subu2011technique</b> – <b>T1027.004 Compile After Delivery</b>"] class compile_after_delivery technique stripped_payload["<b>Subu2011technique</b> – <b>T1027.008 Stripped Payload</b>"] class stripped_payload technique c2_communication["<b>Technique</b> – <b>T1071.001 Web Protocols (WinHTTP)</b><br/><b>Description</b>: Loader contacts C2 server over TCP 8081 using WinHTTP"] class c2_communication technique reflective_loading["<b>Technique</b> – <b>T1620 Reflective Code Loading</b><br/><b>Description</b>: Decrypts HVNC DLL in memory and loads it reflectively"] class reflective_loading technique process_injection["<b>Technique</b> – <b>T1055.002 Portable Executable Injection</b><br/><b>Description</b>: Sectionu2011based injection of the DLL into explorer.exe"] class process_injection technique system_binary_proxy["<b>Technique</b> – <b>T1218.013 System Binary Proxy Execution: Mavinject</b><br/><b>Description</b>: Uses Mavinject to inject the malicious DLL"] class system_binary_proxy technique %% Connections site_typosquat –>|hosts malicious page| initial_access initial_access –>|triggers download of| download_exe download_exe –>|executed by victim| execution_file execution_file –>|establishes persistence via| persistence_active_setup persistence_active_setup –>|creates| run_registry run_registry –>|loads| loader loader –>|applies| obfuscation obfuscation –>|uses| embedded_payload obfuscation –>|uses| binary_padding obfuscation –>|uses| compile_after_delivery obfuscation –>|uses| stripped_payload loader –>|contacts| c2_server c2_server –>|enables| c2_communication loader –>|decrypts and loads| hvnc_dll hvnc_dll –>|loaded via| reflective_loading reflective_loading –>|injects into| explorer_proc explorer_proc –>|target of| process_injection process_injection –>|uses| mavinject mavinject –>|executes| system_binary_proxy "
Attack Flow
Detections
Possible an Alternative Data Stream (ADS) was Created (via file_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
IOCs (HashSha256) to detect: A fake Slack download is giving attackers a hidden desktop on your machine
View
IOCs (SourceIP) to detect: A fake Slack download is giving attackers a hidden desktop on your machine
View
IOCs (DestinationIP) to detect: A fake Slack download is giving attackers a hidden desktop on your machine
View
Detection of Section-Based Injection into Explorer.exe [Windows Sysmon]
View
Fake Slack Installer Creating Hidden Desktop Session [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Initial Access – The attacker delivers a trojanized installer named
slack-4-49-81.exevia a phishing email. - Execution – The victim runs the file; it extracts a hidden loader
svc.tmpto%TEMP%. - Hidden Desktop Creation (T1564.003) –
svc.tmpinvokesCreateProcesswithSW_HIDE, spawning a hidden desktop session that hosts a remote‑access tool. - Persistence (T1547.013 & T1546.016) – The loader registers a COM server that is auto‑started via a shortcut placed in the Startup folder, ensuring execution on reboot.
- Potential Rootkit Installation (T1014) – If elevated,
svc.tmpdrops a rootkit driver to%SystemRoot%System32driversmaldrv.sys.
- Initial Access – The attacker delivers a trojanized installer named
-
Regression Test Script: The script reproduces steps 2–4 with harmless binaries (copies of
notepad.exe) while preserving the exact filenames the rule watches.# ------------------------------------------------- # Regression Test – Fake Slack Installer Simulation # ------------------------------------------------- # 1. Prepare the fake binaries (use benign notepad.exe) $temp = $env:TEMP $installer = Join-Path $temp "slack-4-49-81.exe" $loader = Join-Path $temp "svc.tmp" Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $installer -Force Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $loader -Force # 2. Execute the installer – this will fire the detection rule Write-Host "[*] Launching fake installer ..." Start-Process -FilePath $installer -WindowStyle Hidden -PassThru | Out-Null # 3. Simulate hidden desktop creation (loader) Write-Host "[*] Starting hidden loader ..." Start-Process -FilePath $loader -WindowStyle Hidden -PassThru | Out-Null # 4. Create a shortcut in the Startup folder to emulate persistence $startup = "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartup" $shortcutPath = Join-Path $startup "Slack Hidden.lnk" $shell = New-Object -ComObject WScript.Shell $shortcut = $shell.CreateShortcut($shortcutPath) $shortcut.TargetPath = $loader $shortcut.WindowStyle = 7 # Hidden $shortcut.Save() Write-Host "[+] Simulation complete. Check SIEM for events with Image ending in 'slack-4-49-81.exe' or 'svc.tmp'." -
Cleanup Commands: Remove the test artifacts and any created shortcuts.
# Cleanup script – run with the same user context $temp = $env:TEMP Remove-Item -Path (Join-Path $temp "slack-4-49-81.exe") -ErrorAction SilentlyContinue Remove-Item -Path (Join-Path $temp "svc.tmp") -ErrorAction SilentlyContinue $shortcutPath = "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartupSlack Hidden.lnk" Remove-Item -Path $shortcutPath -ErrorAction SilentlyContinue Write-Host "[+] Cleanup completed."