Description
This detector identifies situations where the device used to access the application is being operated by a person other than the one physically present at it, or by someone in a different location entirely. This can occur at two layers - the hardware level (a physical KVM bridge relaying screen and input over a network) or the software level (a remote desktop application running on the device). In both cases, the individual whose identity is presented during a session is not the one actually controlling it.
The distinction between hardware-level and software-level remote access matters for detection:
Hardware-level remote access (KVM-over-IP, HDMI capture + HID injection) leaves artifacts visible in the browser - display driver characteristics, input latency patterns, and event timing consistent with USB HID relay - without requiring any device-level access.
Software-level remote access (installed remote desktop applications) is most reliably detected by a point-in-time scan or the deployed agent inspecting running processes, configuration files, and connection state on the device itself.
Hardware-Level Indicators
Detectable from the browser without device access:
Display flag and driver mismatches
The browser reports the presence of a virtual display, mirror driver, or non-physical monitor rather than a display connected via standard physical interfaces such as HDMI or DisplayPort. Hardware KVM devices - including piKVM, TinyPilot, and similar KVM-over-IP platforms - present a virtual framebuffer to the host system that is distinguishable from a physical display.
Input latency and interaction jitter
Mouse movement and keyboard input exhibit subtle, millisecond-level delays and a characteristic latency floor consistent with physical input being injected at the USB HID layer after transmission over a network. A local physical typist produces input with different timing distributions than input relayed through a hardware intermediary.
Cursor report rate
KVM-over-IP devices typically inject HID input at 125 Hz (8 ms intervals), while local high-quality mice operate at 500–1000 Hz. The number of pointer events per animation frame is measurably lower for remote-relayed input and is detectable passively in the browser without any permissions.
Remote desktop and VNC protocol artifacts
Identification of display behaviors or network patterns consistent with VNC or RDP session mirroring, including screen rendering cadence or display properties characteristic of a remote session.
Software-Level Indicators
Detected via point-in-time scan or the deployed agent:
Remote desktop software processes or artifacts
Active or recently active processes associated with remote control platforms - connection logs, configuration files, named pipes, or runtime binaries associated with tools such as AnyDesk, TeamViewer, Chrome Remote Desktop, RustDesk, or NetSupport.
Persistent or background connection state
The device maintains an active outbound connection to a remote desktop relay server or peer, or shows evidence of a recent remote session in application logs, even if no remote desktop window is currently visible.
Screen capture or display virtualization artifacts
Evidence that the session display is being mirrored or captured by a secondary process, indicating a remote operator is receiving a live feed of the screen while a local decoy is visible on camera.
Concurrent session indicators
Signs that the device is simultaneously serving a remote session and a local one, or that display topology has changed in ways consistent with a secondary operator connecting from another location.
Relevance to Social Engineering Attacks
Remote access and control is used as a bridging technique to defeat location-based, device-based, and identity-based security controls. The device appears physically legitimate and geographically plausible, but the person actually controlling it is elsewhere.
Common attacker strategies include:
Remote bridge operations via accomplice hosts
An attacker operating from one country remotely controls a physical laptop in another region, often maintained by a local accomplice or at a hosting farm. The device passes location and device trust checks because it is physically in the expected place; detection of the remote control layer is the only reliable way to expose the setup.
Coached identity verification bypass
An individual sits on camera during a verification call while a remote operator drives the session - navigating forms, entering credentials, and responding to prompts. The camera shows a real human face; the keyboard and mouse are controlled from elsewhere.
DPRK-style remote worker operations
In documented North Korean IT worker fraud, the person visible during onboarding is in one location while day-to-day work is performed by operators elsewhere, connected via persistent remote desktop sessions. Both hardware-level and software-level remote access have been observed in these operations.
Insider-assisted access
A complicit employee or contractor allows a third party to connect to their work machine via remote control software. The insider provides plausible deniability while the external operator performs the actual malicious activity.
Examples of Detected Tooling and Techniques
KVM-over-IP and hardware remote access devices
piKVM, TinyPilot, and other KVM-over-IP platforms that capture HDMI output and inject USB HID input over a network connection.Commercial remote desktop tools
AnyDesk, TeamViewer, Splashtop, LogMeIn, Chrome Remote Desktop, Windows Quick Assist, Apple Screen Sharing.Open-source and self-hosted alternatives
RustDesk, TigerVNC, RealVNC, NoMachine.Native OS remote access protocols
Microsoft RDP, VNC implementations across all platforms.Attacker-favored lightweight tools
NetSupport RAT, Action1, and similar remote management utilities repurposed for unauthorized access.
Notable Incidents and Threat Actors
DPRK IT Worker Operations
Extensively documented cases in which North Korean operatives use AnyDesk and similar tools to remotely operate laptops nominally assigned to fabricated employees at US and European companies. The physical device is co-located with a decoy worker; the actual operators connect from overseas.
Scattered Spider (UNC3944)
Known for using remote desktop access tools during help desk social engineering to simultaneously observe and manipulate the target environment while maintaining voice interaction with a victim or technician.