Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

UltraVNC

UltraVNC is an open-source remote access and remote administration utility that has been repeatedly abused by threat actors as a RAT or secondary access tool. The provided content describes it being delivered in multi-stage phishing and intrusion chains, including campaigns that downloaded and executed off-the-shelf payloads such as UltraVNC alongside other malware. It was used by the Awaken Likho APT campaign, active since at least July 2021, which primarily targeted Russian government organizations and contractors; in May 2024, Awaken Likho disguised UltraVNC as a OneDrive update utility, and in June 2024 some samples switched from UltraVNC to MeshAgent. The content also notes Gamaredon tooling has included remote management capability via UltraVNC in campaigns historically focused on Ukrainian entities, and that manipulated UltraVNC programs were deployed in some operations. In a supply-chain attack investigated by Mandiant and attributed to DARKSIDE affiliate UNC2465, attackers used PowerShell to download the UltraVNC application renamed as winvnc.exe together with UltraVNC.ini, established persistence via registry Run keys and shortcut modifications, and used UltraVNC for remote access after compromise through Trojanized CCTV software installers. In that UNC2465 activity, UltraVNC was configured to connect to 81.91.177[.]54:7234. Across the cited reporting, UltraVNC appears as a legitimate tool repurposed for malicious remote access, often delivered through phishing, staged loaders, or Trojanized software, and used in espionage and ransomware-affiliate intrusions.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

These attachments relied on a multi-stage execution chain, often using up to three nested stages, to download and execute off-the-shelf payloads like Remote Manipulator System (RMS) RAT, a tool widely shared on Russian hacker forums, or UltraVNC, an open-source remote access utility.

via sekoia blogblog.sekoia.io
Lazarus

“deploying two types of payloads. The first is a manipulated Ultra VNC program…”

via securelistsecurelist.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

Historically, according to the 2015 LookingGlass report Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, Gamaredon conducted spearphishing campaigns using stolen, highly relevant decoy documents of mimicking Ukrainian institutions to target government entities.

Execution

1 technique
T1204.002Malicious FileEvidence1

The link in either page led to the installer for Tiflux, Network Solutions Agreement.msi

Persistence

2 techniques
T1112Modify RegistryEvidence1

the .msi installer also contained five Windows Registry ( .reg ) files, which it could use to make modifications to the computer

T1547Boot or Logon Autostart ExecutionEvidence1

One of the Registry changes added a Services entry for another VNC clone, named TightVNC, to the Windows Services, and set it to be enabled even if Windows was rebooted into Safe Mode.

Privilege Escalation

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

One of the Registry changes added a Services entry for another VNC clone, named TightVNC, to the Windows Services, and set it to be enabled even if Windows was rebooted into Safe Mode.

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

the .msi installer also contained five Windows Registry ( .reg ) files, which it could use to make modifications to the computer

Credential Access

1 technique
T1552.001Credentials In FilesEvidence1

The initialization files bundled with the UltraVNC package contained two hardcoded passwords.

Lateral Movement

2 techniques
T1021Remote ServicesEvidence1

“CMS also provides a fully fledged UltraVNC client/server… needs to be explicitly invoked… most likely by SrSystem.exe via remote commands from C2.”

T1021.005VNCEvidence1

"Mandiant then observed the attacker use UltraVNC..." and "...NGROK to tunnel UltraVNC traffic out of the environment."

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence1

"Mandiant then observed the attacker use UltraVNC to download two LNK files..." and "The attacker used UltraVNC to download an in-memory dropper for Cobalt Strike..."

T1219Remote Access ToolsEvidence3

threat actors abusing legitimate remote management software for stealthy access and persistence

Other

1 technique
T1562Impair DefensesEvidence1

Two of the Registry files make changes to Windows that could conceal the presence of a VNC service... prevent “consent” prompts (and other types of notifications) from appearing

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
sekoia blogNews
Jun 1, 2026
FSB’s matryoshka #1/3: Inside Gamaredon Cyber Operations

Open-source remote access utility used as an off-the-shelf payload in early Gamaredon intrusion chains.

Read more
fireeyeNews
Jun 16, 2021
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

UltraVNC is a legitimate remote access tool that was abused by the attacker to maintain remote desktop access to compromised systems. It was configured for persistence and used in conjunction with NGROK for external access.

Read more
securelistNews
Apr 30, 2020
APT trends report Q1 2020

Legitimate remote administration tool observed as a manipulated payload in Lazarus-linked activity; also referenced as used within Gamaredon’s toolkit.

Read more
cofense blogNews
Jan 14, 2026
International Threats: How Malware Campaigns Vary Across Non-English Languages

Legitimate remote access tool referenced as a RAT in Italian-language campaigns.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.