Connect with us

Hi, what are you looking for?


Malware & Threats

New hVNC macOS Malware Advertised on Hacker Forum

A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum.

A new Hidden Virtual Network Computing (hVNC) malware targeting macOS devices is being advertised on a prominent cybercrime forum, Israeli cybersecurity company Guardz warns.

Commonly used for technical support, Virtual Network Computing (VNC) supports the remote control of computers over the network, with the knowledge of the device’s user, who can watch on the screen the performed actions.

hVNC, on the other hand, is used maliciously, allowing threat actors to take control of remote systems without the user’s knowledge.

Since April 2023, the new hVNC macOS malware has been offered on a Russian hacker forum at $60,000, advertised with capabilities that make it a threat to small and midsize enterprises (SMEs).

The malware is being advertised by a threat actor who uses the ‘RastaFarEye’ username, and who claims that the tool has been tested on macOS versions 10 to 13.2, and that it can provide persistent access to compromised systems.

Furthermore, the malware is advertised with reverse shell and file management capabilities, browser detection, and as being able to run without requesting permissions from the user.

The main purpose of the malware, Guardz says, appears to be the theft of sensitive information, including credentials, personal and financial information, and other types of data. The threat also provides attackers with stealthy remote control over infected machines.

Advertisement. Scroll to continue reading.

The malware developer, who demands a $20,000 payment for delivering a loader that expands the tool’s capabilities, has updated the malware at least once since April.

A member of the cybercrime forum since 2021, RastaFarEye is known for offering other malicious tools as well, including an hVNC malware variant targeting Windows.

The malware developer has a ‘seller’ status on the forum – an endorsement from the forum’s administrators – and has made a deposit of $100,000 for the new macOS malware, showing to other cybercriminals that a high-profile threat actor is behind the announcement.

“This money is kept in the escrow account of the forum administration as a type of underground insurance in case the offered product is not as described in the original post,” Guardz explains.

The security firm notes that this malware could be integrated into ‘attack-as-a-service’ cybercrime services, urging SMEs to up their defenses and educate users and employees on the risks of phishing and untrusted downloads.

Related: New ‘Lobshot’ hVNC Malware Used by Russian Cybercriminals

Related: New ‘Atomic macOS Stealer’ Malware Offered for $1,000 Per Month

Related: Iranian Cyberspies Target US-Based Think Tank With New macOS Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.