1. Home
  2. Techniques
  3. Enterprise
  4. Hide Artifacts
  5. Hidden Window

Hide Artifacts: Hidden Window

ID Name
T1564.001 Hidden Files and Directories
T1564.002 Hidden Users
T1564.003 Hidden Window
T1564.004 NTFS File Attributes
T1564.005 Hidden File System
T1564.006 Run Virtual Instance
T1564.007 VBA Stomping
T1564.008 Email Hiding Rules
T1564.009 Resource Forking
T1564.010 Process Argument Spoofing
T1564.011 Ignore Process Interrupts
T1564.012 File/Path Exclusions
T1564.013 Bind Mounts
T1564.014 Extended Attributes

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.[1]

On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.

Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.[2]

The Windows Registry can also be edited to hide application windows from the current user. For example, by setting the WindowPosition subkey in the HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe Registry key to a maximum value, PowerShell windows will open off screen and be hidden.[3]

In addition, Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process.[4][5] All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,[4] will be invisible to other desktops windows.

Adversaries may also leverage cmd.exe[6] as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,[7][8] to hide windows.

ID: T1564.003
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Liran Ravich, CardinalOps; Mark Tsipershtein; Travis Smith, Tripwire; Vijay Lalwani
Version: 1.4
Created: 13 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.[9]
G0073 APT19

APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [10]
G0007 APT28

APT28 has used the WindowStyle parameter to conceal PowerShell windows.[11] [12]
G0022 APT3

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.[13]
G0050 APT32

APT32 has used the WindowStyle parameter to conceal PowerShell windows. [14] [15]
S0373 Astaroth

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [16]
S1087 AsyncRAT

AsyncRAT can hide the execution of scheduled tasks using ProcessWindowStyle.Hidden.[17]
S1053 AvosLocker

AvosLocker has hidden its console window by using the ShowWindow API function.[18]
S0360 BONDUPDATER

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.[19]
S1226 BOOKWORM

BOOKWORM has created a hidden window when conducting key logging and clipboard theft through its KBLogger.dll module.[20]
S1237 CANONSTAGER

CANONSTAGER has created a new window with a height and width of zero to remain hidden on the screen.[21]
G0052 CopyKittens

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. [22]
S0625 Cuba

Cuba has executed hidden PowerShell windows.[23]

G0079 DarkHydrus

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. [24]
G0009 Deep Panda

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [25]
G0046 FIN7

FIN7 has used .txt files to conceal PowerShell commands.[26]
G0047 Gamaredon Group

Gamaredon Group has used hidcon to run batch files in a hidden console window.[27] Gamaredon Group has also executed PowerShell in a hidden window.[28]

G0078 Gorgon Group

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [29]
S0037 HAMMERTOSS

HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.[30]
G0126 Higaisa

Higaisa used a payload that creates a hidden window.[31]
S0431 HotCroissant

HotCroissant has the ability to hide the window for operations performed on a given file.[32]
S1152 IMAPLoader

IMAPLoader hides the Windows Console window created by its execution by directly importing the kernel32.dll and user32.dll libraries GetConsoleWindow and ShowWindow APIs.[33]
S1245 InvisibleFerret

InvisibleFerret has executed Python instances of the browser module ".n2/bow" utilizing the CREATE_NO_WINDOW process creation flag.[34]
S0260 InvisiMole

InvisiMole has executed legitimate tools in hidden windows.[35]
S1020 Kevin

Kevin can hide the current window from the targeted user via the ShowWindow API function.[36]
S0387 KeyBoy

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. [37]
G0094 Kimsuky

Kimsuky has used an information gathering module that will hide an AV software window from the victim.[38] Kimsuky has also been known to use -WindowStyle Hidden to conceal PowerShell windows.[39]
S0437 Kivars

Kivars has the ability to conceal its activity through hiding active windows.[40]
S0250 Koadic

Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.[41]
S0669 KOCTOPUS

KOCTOPUS has used -WindowsStyle Hidden to hide the command window.[41]
S1199 LockBit 2.0

LockBit 2.0 can execute command line arguments in a hidden window.[42]
S1213 Lumma Stealer

Lumma Stealer has utilized the .NET ProcessStartInfo class features to prevent the process from creating a visible window through setting the CreateNoWindow setting to "True," which allows the executed command or script to run without displaying a command prompt window.[43]
G0059 Magic Hound

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[44]
S0500 MCMD

MCMD can modify processes to prevent them from being visible on the desktop.[45]
G1051 Medusa Group

Medusa Group has utilized the ShowWindow API function to hide the current window.[46]
S1244 Medusa Ransomware

Medusa Ransomware has utilized the ShowWindow function to hide current window.[46]
S0455 Metamorfo

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[47]

S0688 Meteor

Meteor can hide its console window upon execution to decrease its visibility to a victim.[48]
G0133 Nomadic Octopus

Nomadic Octopus executed PowerShell in a hidden window.[49]

S1172 OilBooster

OilBooster can hide its console window upon execution through the ShowWindow API. [50]
S0013 PlugX

PlugX has the ability to execute a command on a hidden desktop.[51]
S0441 PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.[52]
S0262 QuasarRAT

QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A though QuasarRAT can only be run on Windows systems.[53]
S1076 QUIETCANARY

QUIETCANARY can execute processes in a hidden window.[54]
S0686 QuietSieve

QuietSieve has the ability to execute payloads in a hidden window.[55]
S1089 SharpDisco

SharpDisco can hide windows using ProcessWindowStyle.Hidden.[56]
S0692 SILENTTRINITY

SILENTTRINITY has the ability to set its window state to hidden.[57]
S1086 Snip3

Snip3 can execute PowerShell scripts in a hidden window.[58]
S0491 StrongPity

StrongPity has the ability to hide the console window for its document search module from the user.[59]
G1022 ToddyCat

ToddyCat has hidden malicious scripts using powershell.exe -windowstyle hidden. [60]
S0266 TrickBot

TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.[61]
S0386 Ursnif

Ursnif droppers have used COM properties to execute malware in hidden windows.[62]
S0670 WarzoneRAT

WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.[63]
S0466 WindTail

WindTail can instruct the OS to execute an application without a dock icon or menu.[64]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.
M1033 Limit Software Installation

Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0128 Detection Strategy for Hidden Windows AN0360

Suspicious use of scripting parameters or registry edits to hide process windows (e.g., powershell.exe -WindowStyle Hidden, or registry modifications pushing window positions off screen). Defender view: correlation of hidden execution with anomalous process lineage or hVNC-like CreateDesktop API calls.
AN0361

Suspicious invocation of GUI utilities or scripts with suppressed or redirected windowing options. Defender view: detection of X11 or Wayland calls to spawn windows that do not appear on active displays, or use of nohup/screen/tmux to mask interactive shells.
AN0362

Modification of plist files to set apple.awt.UIElement or similar flags hiding app icons and windows, and dscl/command-line activity that suppresses visibility. Defender view: correlation of plist modifications with unexpected hidden user applications.

References

  1. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  2. Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.
  3. Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.
  4. Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.
  5. Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.
  6. Cybereason Security Services Team. (n.d.). Behind Closed Doors: The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.
  7. Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved July 22, 2025.
  8. Seongsu Park. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved July 22, 2025.
  9. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  10. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  11. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  12. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  13. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  14. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  15. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  16. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  17. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  18. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  19. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  20. Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025.
  21. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
  22. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  23. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  24. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  25. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  26. Gemini Advisory. (2022, January 13). FIN7 Uses Flash Drives to Spread Remote Access Trojan. Retrieved May 14, 2025.
  27. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  28. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025.
  29. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  30. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
  31. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  32. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  1. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  2. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  3. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  4. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  5. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  6. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  7. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025.
  8. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  9. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  10. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  11. Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
  12. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  13. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  14. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025.
  15. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  16. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  17. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  18. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  19. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  20. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  21. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  22. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  23. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  24. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  25. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  26. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  27. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  28. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  29. Cybereason Nocturnus. (n.d.). Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk. Retrieved November 28, 2023.
  30. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  31. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  32. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.