A newly surfaced Malware-as-a-Service platform called OnyxC2 is packaging advanced offensive techniques — including DLL sideloading, encrypted payloads, and what is described as Hidden Virtual Network Computing (HVNC) — into a subscription product that reportedly gives even low-skilled attackers access to enterprise-grade data theft capabilities once reserved for well-resourced threat actors.
According to a Security Affairs report, the platform first appeared on a cybercrime forum earlier this year and is marketed in a tiered pricing model: a standard build at $250 per month, a premium version with HVNC remote access at $500 monthly, and a $6,000 extended-license package. The steep price differential for the premium tier reflects the particularly dangerous nature of HVNC, which is said to allow attackers to operate a hidden desktop session on a victim's machine without any visible indication to the user.
What Makes OnyxC2 a Step Up
OnyxC2's reported ability to target more than 210 applications — spanning browsers, email clients, cryptocurrency wallets, and productivity suites — makes it a versatile data-harvesting tool. Its reliance on DLL sideloading, a technique that abuses legitimate software to load malicious code, means traditional signature-based antivirus solutions are likely to miss it. Combined with encrypted payloads, the platform is engineered from the ground up to bypass conventional defences.
The inclusion of HVNC in the premium tier deserves particular attention. Unlike standard remote access trojans that may trigger alerts through visible screen sharing or unusual network activity, HVNC is described as operating a parallel, invisible desktop session. This would allow an attacker to open browsers, navigate to banking portals, and interact with applications as if physically present at the machine — all while the legitimate user continues working undisturbed.
Why This Matters Beyond the Headlines
The emergence of platforms like OnyxC2 signals an accelerating trend in the commoditisation of cybercrime tooling. Techniques that were once the domain of advanced persistent threat groups with bespoke malware are now available to anyone willing to pay a monthly subscription. For defenders, this means the volume and sophistication of attacks they face is rising without a corresponding increase in attacker skill.
For IT security teams and managed service providers, the practical implications are clear. Signature-based detection tools alone will not catch threats like OnyxC2. Organisations need to invest in behavioural analysis platforms that flag anomalous process activity — such as an unexpected DLL being loaded by a trusted application or unusual remote desktop sessions being spawned without user interaction.
Application allowlisting, which restricts which executables and libraries can run on endpoints, is another critical control that directly counters DLL sideloading techniques. Similarly, monitoring for network connections that do not align with normal user behaviour can help surface covert HVNC sessions.
What Defenders Should Do Now
Security professionals should treat the appearance of OnyxC2 as a prompt to audit their detection capabilities. Key questions include whether their endpoint detection and response solutions can identify suspicious DLL loads, whether they have visibility into hidden remote desktop activity, and whether their incident response playbooks account for encrypted payload delivery.
As subscription-based malware platforms evolve rapidly, staying informed about updates to OnyxC2's tactics, techniques, and procedures will be essential. The $250 entry point means the barrier to entry for attackers has never been lower — and defenders must raise their game accordingly.
一個名為 OnyxC2 的新興惡意軟件即服務(MaaS)平台,據報導正在將進階攻擊技術——包括 DLL 側載、加密 payload,以及所謂的隱藏虛擬網絡運算(HVNC)——打包成訂閱產品,讓即便是低技術水平的攻擊者,也能獲取以往僅有資源充沛的威脅行為者才具備的企業級數據盜竊能力。
根據 Security Affairs 的一篇報導,該平台今年早些時候首次出現在一個網絡犯罪論壇上,並以分層定價模式進行推廣:標準版每月 250 美元,包含 HVNC 遠端存取的進階版每月 500 美元,以及一個 6,000 美元的擴展授權套件。進階版價格的大幅提升,反映了 HVNC 據稱特別危險的特性,它允許攻擊者在受害者機器上操作一個隱藏的桌面工作階段,而用戶本身不會看到任何可見的跡象。
OnyxC2 的升級之處
據報導,OnyxC2 能夠針對超過 210 種應用程式——涵蓋瀏覽器、電子郵件客戶端、加密貨幣錢包及生產力套件——使其成為一款多功能的數據收集工具。它依賴 DLL 側載技術,該技術濫用合法軟件來加載惡意代碼,這意味著傳統的基於簽名的防毒方案很可能無法偵測到它。結合加密 payload,該平台從設計之初就是為了繞過常規防禦。
進階版中包含的 HVNC 值得特別關注。與可能通過可見的螢幕共享或異常網絡活動觸發警報的標準遠端存取木馬不同,據描述 HVNC 操作一個平行的、不可見的桌面工作階段。這將允許攻擊者打開瀏覽器、導航至銀行門戶並與應用程式互動,彷彿就物理存在於機器前——而與此同時,合法用戶可繼續不受干擾地工作。
此事為何不僅僅是頭條新聞
OnyxC2 等平台的出現,標誌著網絡犯罪工具商品化趨勢的加速。那些曾專屬於擁有定製惡意軟件的高級持續性威脅團體的技術,如今已向任何願意支付月費訂閱的人開放。對防禦者而言,這意味著他們面臨的攻擊數量和複雜程度正在上升,而攻擊者的技術水平並未相應提高。
對於 IT 安全團隊和託管服務供應商而言,實際影響顯而易見。僅靠基於簽名的偵測工具無法捕捉 OnyxC2 這類威脅。組織需要投資於行為分析平台,以標記異常的行程活動——例如受信任應用程式意外加載的 DLL,或在沒有用戶互動的情況下生成的異常遠端桌面工作階段。
應用程式允許列表(allowlisting)是另一項關鍵控制措施,它限制哪些可執行檔和庫可以在端點上運行,直接對抗 DLL 側載技術。同樣,監控與正常用戶行為不符的網絡連接,也有助於發現隱蔽的 HVNC 工作階段。
防禦者當下應採取的行動
安全專業人士應將 OnyxC2 的出現視為審視其偵測能力的契機。關鍵問題包括:其端點偵測與回應解決方案能否識別可疑的 DLL 加載,是否具備對隱藏遠端桌面活動的可見性,以及其事件應變計劃是否考慮了加密 payload 的傳遞。
隨著訂閱式惡意軟件平台快速演進,持續關注 OnyxC2 的戰術、技術及程序更新將至關重要。250 美元的入門門檻意味著攻擊者的準入門檻從未如此之低——防禦者必須相應地提升其應對水平。