EdskManager RAT: New Stealthy Malware Leverages HVNC for Covert Remote Access & Evasion

In its latest threat intelligence report, CYFIRMA has detailed the discovery of EdskManager RAT, a sophisticated remote access trojan (RAT) that employs stealthy communication, multi-stage execution, and advanced persistence techniques. This malware is engineered to provide long-term, covert access to infected systems, making it a serious concern for organizations and individuals alike.

“EdskManager RAT is a stealthy and adaptable remote access trojan, leveraging multiple stages of execution and encrypted payload delivery,” CYFIRMA reports. “Its use of HVNC, advanced persistence techniques, and anti-analysis measures indicates a strong focus on long-term, covert access to infected systems.”

The infection begins with a seemingly legitimate file—WindowsFormsApp.exe—signed with a valid (but now revoked) digital certificate. This downloader masquerades as a document viewer and initiates contact with an Amazon S3 bucket to fetch a malicious payload, which includes a valid executable, multiple DLLs, and an encrypted configuration file with a .edskv extension.

Once deployed, the executable VideoManagerEntry.exe, also signed, is used to load commonbase.dll, the main malicious payload. The .edskv file is decrypted entirely in memory, revealing another Delphi-based DLL that controls the malware’s communication and behavior.

One of EdskManager’s most dangerous features is its use of Hidden Virtual Network Computing (HVNC). This technique allows attackers to interact with the infected system without any visible signs on the user’s screen. The malware creates concealed windows that serve as listeners or even UI components like chat boxes that flash briefly before disappearing.

“The primary indicator of HVNC usage is the presence of a hidden window operating invisibly on the victim’s system, featuring a text box and a send button,” the researchers explain. “This allows an attacker to remotely control the infected machine without any visible signs of activity.”

Communication with the malware’s command-and-control (C2) infrastructure is both stealthy and adaptable. Using the socket API and zlib-compressed messages, EdskManager contacts servers such as u[.]arpuu[.]com:3158 and attempts connections to fallback domains like kimhate[.]com:1516.

“EdskManager RAT uses the socket API to establish communication… the initial communication message, ‘1|manager,’ is compressed using zlib and sent to the C2 server,” CYFIRMA notes.

These communications transmit host details—including OS version, CPU info, and installed antivirus—and await further instructions in a persistent loop, often enabled through hidden windows and background listeners.

EdskManager RAT employs multiple persistence techniques—from autorun registry keys to scheduled tasks and specially crafted .lnk files placed in public folders. It even manipulates Session Manager registry values to ensure launch after reboot.

The malware also performs deep reconnaissance, including the enumeration of browser extensions in Chrome, Edge, and Brave. This enables it to profile the system, look for password managers or crypto wallets, and potentially prepare for data exfiltration or targeted exploitation.

What makes EdskManager particularly resilient is its ability to adapt its infrastructure. By embedding dynamic fallback domains and using encrypted configurations, it can quickly shift communication methods or C2 addresses if compromised.

“The malware can adapt its C2 infrastructure when needed to maintain persistence and evade detection,” the report states. “Its use of encrypted configuration files… maintains a covert and flexible architecture.”

EdskManager demonstrates capabilities such as keylogging, clipboard monitoring, process injection, and stealth system control—all under the radar.

“EdskManager RAT poses a serious threat to targeted environments, emphasizing the need for proactive detection and defensive strategies,” CYFIRMA concludes.

Related Posts:

• Linux Kernel 6.6: Embracing Stability with Long-Term Support
• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Kroah-Hartman Confirms: Linux Kernel 6.12 is Now LTS
• Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels