Noobsaibot HVNC Advertised as Next-Generation Stealer and RAT With Zero-Disk Footprint, Chrome V20 Bypass, Monolithic Architecture, and Guaranteed Zero AV Detections

Summary

A threat actor known as c2flow is advertising Noobsaibot, a C# stealer, HVNC, and remote access tool priced at $5,000 with guaranteed zero antivirus detections. The malware features a monolithic architecture, zero-disk footprint, Chrome/Edge App-Bound Encryption (V20) bypass, HVNC hidden desktop access, keylogging, and reflective code loading for memory-only execution. The operator claims the tool represents a generational leap in stealer design compared to competitors like Venom and Lumma.

Full text

Dark Web Informer - Cyber Threat Intelligence Noobsaibot HVNC Advertised as Next-Generation Stealer and RAT With Zero-Disk Footprint, Chrome V20 Bypass, Monolithic Architecture, and Guaranteed Zero AV Detections March 30, 2026 - 1:26:49 PM UTC N/A Malware / Cybercrime Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-30 13:26:49 UTC Threat Actor c2flow Malware Name Noobsaibot Language C# Category Stealer / HVNC / RAT Architecture Monolithic (No Server) Detection Status Guaranteed 0 AV (At Sale) Max Deployment 1,000 Machines Price $5,000 Network Open Web Incident Overview A threat actor going by c2flow is advertising Noobsaibot, a C# combined stealer, HVNC, and remote access tool that the developer positions as architecturally distinct from existing stealers like Venom, Lumma, and similar tools. The actor claims the tool represents a generational leap in stealer design, with a monolithic architecture that eliminates external server dependencies and allows each deployment to operate independently. The listing is priced at $5,000 with a guarantee of zero antivirus detections at time of sale, transacted through a forum guarantor. The tool's capabilities break down into several categories: Communications Security: ECDH elliptic curve key exchange for per-session unique keys, AES-GCM encryption with data integrity checking to prevent packet spoofing or traffic decryption, and TLS 1.3 support for SSL tunneling that disguises traffic as normal secure web browsing. Zero-Disk Footprint Stealer: Bypasses Chrome and Edge App-Bound Encryption (V20) to extract passwords, logins, cookies, and web data directly from browser databases even while the browser is open. Creates no temporary copies in %TEMP% or other folders, reading bytes directly via nolock=1 to leave no disk traces. Evasion: Random overlay ("pump") that appends random bytes to each build, changing file size and hash every time. Reflective loading where the agent never touches disk in clear text, decrypting in memory only. Dynamic build structure makes each instance unique to EDR and AV systems. Remote Access: HVNC (Hidden Virtual Network Computing) for invisible desktop access, standard remote desktop with chunk-optimized screen sharing and full Raspberry Pi keyboard emulation, file manager for downloading/uploading/launching files, process manager for controlling all processes and services, and a keylogger capturing every keystroke in real time. Architecture: Monolithic design with no external dependencies or server infrastructure. Scales to 1,000 computers or servers operating independently. The operator controls where logs are sent and maintains full ownership of the panel and deployments. The actor is vocal about differentiating Noobsaibot from existing stealers, claiming that competitors built server-based architectures focused on controlling logs and profits rather than operator safety, and that those tools are now outdated. The developer claims to be willing to undergo forum administration audits to verify the tool's capabilities. Custom builds in C++ or Rust are mentioned as available but described as very expensive. Capabilities & Targets Chrome / Edge Password Extraction App-Bound Encryption (V20) Bypass Cookie & Web Data Theft HVNC (Hidden Desktop) Remote Desktop Keylogger File Manager Process Manager Zero-Disk Footprint Reflective Loading ECDH + AES-GCM Encryption TLS 1.3 Tunneling Random Build Hashing Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1555.003 Credentials from Web Browsers Bypasses Chrome and Edge App-Bound Encryption (V20) to extract saved passwords, cookies, and web data directly from browser databases, even while the browser is running. T1056.001 Keylogging Captures every keystroke in real time, recording passwords, messages, and sensitive information as the victim types. T1219 Remote Access Software Provides HVNC hidden desktop, standard remote desktop with chunk-optimized screen sharing, file management, and process control for complete remote access invisible to the victim. T1620 Reflective Code Loading The agent never touches disk in cleartext, decrypting and executing entirely in memory through reflective loading to avoid forensic detection and file-based AV scanning. T1027 Obfuscated Files or Information Each build receives a random byte overlay that changes file size and hash, combined with dynamic build structures that make every instance unique to EDR and AV signature detection. T1573.002 Encrypted Channel: Asymmetric Cryptography Uses ECDH key exchange for per-session unique keys, AES-GCM encryption for data integrity, and TLS 1.3 tunneling to disguise C2 traffic as normal secure web browsing. T1539 Steal Web Session Cookie Directly reads browser cookie databases using nolock=1 mode to extract session cookies without creating temporary files, enabling session hijacking with zero disk artifacts. T1106 Native API Reads bytes directly from browser database files via native API calls, bypassing standard file access methods to avoid triggering activity monitoring systems. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• malware — Noobsaibot
• malware — Venom
• malware — Lumma