Bypass Record

Masquerading × Slack Desktop

A publicly-reported instance of Masquerading bypassing Slack Desktop, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Slack Desktop

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2025-09-03

Config / version noted

Not stated

Provenance

blog.trailofbits.com
disclosed 2025-09-03 · original source · via exa

Reported as

enables persistent backdooring of Electron-based applications like Slack

Mechanism

Electron's integrity fuses do not verify V8 heap snapshot files (v8_context_snapshot.bin), which are loaded into every V8 isolate. An attacker with filesystem write access can overwrite these snapshots with a crafted version that clobbers JavaScript builtins (e.g., Array.isArray) to execute arbitrary code when the application runs. This bypasses both Electron's integrity checks and OS code-signing because snapshots are not treated as executable content.

Detection & mitigation

Monitor for unexpected modifications to V8 heap snapshot files (e.g., v8_context_snapshot.bin) within Electron application directories, especially in user-writable paths. Use file integrity monitoring (FIM) to alert on changes to these files and enforce application whitelisting or code integrity policies that prevent unauthorized writes to application binaries and support files.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot Microsoft nProtect Palo Alto Networks Riot Vanguard

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.