Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

HijackLoader (Dropper) – Malware

August 6, 2024
Reading Time: 14 mins read
in Malware
HijackLoader (Dropper) – Malware

HijackLoader

Type of Malware

Dropper

Addittional names

DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER

Country of Origin

Russia

Date of initial activity

2023

Associated Groups

APT23, Fancy Bear

Motivation

To deliver second stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT for financial gain, data theft, or disruption.

Attack Vectors

It is often distributed through various attack vectors like phishing emails, malicious websites, exploit kits, software bundling, drive-by downloads, and social engineering tactics. In earlier versions of the loader, it was disguised as a 7-zip installer that delivered the SecTop RAT. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.

Targeted System

Windows

Overview

HijackLoader (also known as IDAT Loader) is a malware loader first identified in July 2023. It is capable of using various modules for code injection and execution, featuring a modular architecture uncommon among loaders. Initially, the loader was disguised as a 7-zip installer that delivered the SecTop RAT. HijackLoader employs several evasion techniques, including Process Doppelgänging, DLL Search Order Hijacking, and Heaven’s Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. ThreatLabz researchers recently analyzed a new HijackLoader sample with updated evasion techniques designed to increase the malware’s stealthiness and remain undetected for longer periods. These enhancements include modules to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking commonly used by security software for detection, and employ process hollowing. In earlier versions of the loader, it was disguised as a 7-zip installer that delivered the SecTop RAT. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.

Targets

HijackLoader targets entities where the potential for financial gain, data theft, or disruption is significant, making it a versatile and dangerous tool for cybercriminals

How they operate

HijackLoader operates with a highly sophisticated strategy aimed at infiltrating systems stealthily while evading detection by security measures. Its modus operandi begins with gaining initial access, often exploiting vulnerabilities in software or systems or employing social engineering tactics. Once executed, HijackLoader establishes persistence on the compromised system by modifying registry keys or adding itself to startup folders. This ensures that it runs automatically whenever the system boots or a user logs in, a tactic classified under MITRE’s technique T1547.001 for boot or logon autostart execution. To evade detection and maintain its foothold, HijackLoader employs a variety of evasion techniques. It bypasses User Account Control (UAC) prompts by leveraging the CMSTPLUA COM interface, allowing it to execute privileged operations without user intervention (T1548.001). Additionally, the malware includes modules designed to add exclusions for Windows Defender Antivirus, thus preventing detection by security solutions that rely on these mechanisms (T1562.001). HijackLoader also evades detection by security software that uses inline API hooking for monitoring and detection purposes, employing methods to circumvent these hooks dynamically. The malware’s modular architecture is central to its functionality. HijackLoader loads secondary payloads and functionalities dynamically, enabling it to adapt to different environments and tasks. These payloads include various types of malware such as Trojans like Amadey, information stealers like Lumma Stealer and Racoon Stealer v2, and remote access Trojans (RATs) like Remcos. This versatility allows HijackLoader to perform a wide range of malicious activities, from data theft to remote system control (T1055). In operation, HijackLoader is adept at stealing sensitive information such as login credentials, financial data, and personal information from compromised systems. This stolen data is exfiltrated to remote servers controlled by threat actors, facilitating further exploitation or monetization. The malware communicates with its command-and-control (C2) server using encrypted channels to receive commands, update configurations, and send out stolen data, ensuring that its activities remain covert and difficult to trace. To execute its malicious payloads, HijackLoader employs advanced techniques like process injection into legitimate processes such as cmd.exe, utilizing methods like process hollowing to avoid detection (T1055). Reflective DLL injection further enhances its stealth capabilities by loading malicious code and configurations directly into memory, bypassing traditional file-based detection methods (T1620). Detecting and mitigating HijackLoader requires robust cybersecurity measures capable of identifying its evasion tactics, dynamic API resolutions, and sophisticated methods of payload deployment. Effective defenses include implementing comprehensive endpoint protection solutions, maintaining up-to-date software and system patches, employing network segmentation to limit the malware’s spread, and educating users about phishing and social engineering tactics that could facilitate its initial deployment.

MITRE tactics and techniques

Execution (TA0002) The malware executes its payload and modules using various techniques, including process hollowing and direct syscall execution. Boot or Logon Autostart Execution (T1547.001) HijackLoader ensures persistence by modifying registry keys or startup folders to automatically execute on system boot or user logon. Abuse Elevation Control Mechanism (T1548.001) Modules within HijackLoader attempt to bypass User Account Control (UAC) using techniques like COM interface manipulation (CMSTPLUA). Dynamic API Resolution (T1027.001) The malware dynamically resolves APIs during execution by parsing Portable Executable (PE) headers and walking the process environment block (PEB). Deobfuscate/Decode Files or Information (T1140) HijackLoader decrypts and decompresses its payload, including modules and configuration data, using algorithms like XOR and LZNT1. Process Injection (T1055) The malware injects its payload into other processes, such as cmd.exe, using techniques like process hollowing to evade detection. Reflective Code Loading (T1620) Modules within HijackLoader load code and configuration data in memory using reflective DLL injection techniques. Impair Defenses: Disable or Modify Tools (T1562.001) HijackLoader attempts to disable or bypass security tools like Windows Defender Antivirus by adding exclusions or modifying settings. Process Discovery (T1057) The malware enumerates running processes to check for security tools or specific applications that might interfere with its operation.

Significant Malware Campaigns

  • Rhe Alpine Security Hunting Team has observed several malware campaigns against various hotel chains in Andorra using HijackLoader as the main weapon of attack. (September 2023)
References:
  • HijackLoader Targets Hotels: A Technical Analysis
  • HijackLoader Updates
  • Technical Analysis of HijackLoader
  • HijackLoader Expands Techniques to Improve Defense Evasion
  • Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
Tags: AntivirusAPT23Cybercriminalsdata theftDLLDOILoaderFancy BearGHOSTPULSEhijackingHijackLoaderIDAT LoaderLoaderMalwareSHADOWLADDERWindows Defender
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial