HijackLoader
HijackLoader is a modular Windows malware loader and DLL sideloading framework first identified in 2023 and marketed on cybercrime forums. It is used as an intermediate loader to deploy additional malware, including commodity stealers, RATs, and other payloads. Across the provided reporting, HijackLoader is described delivering LummaC2/LummaStealer, RedLine Stealer, Danabot, Vidar, ACRStealer/AmateraStealer, SnappyClient, Rhadamanthys, and other malware families, and it also appeared as one of many payloads in Amadey pay-per-install activity.
Observed execution chains repeatedly rely on DLL sideloading, DLL search order hijacking, cross-loading, module stomping, and shellcode injection. Reported examples include use of legitimate signed binaries such as KSPSService.exe (a Valve/Steam secure_desktop_capture binary signed by McAfee), VoTransmitt.exe from Zoner Photo Studio, and other trusted executables to load trojanized DLLs. In one campaign, shellcode was injected into vssapi.dll to execute HijackLoader. Other reporting describes HijackLoader using process doppelganging, transacted hollowing, Heaven's Gate, direct syscalls, and process injection into trusted processes such as explorer.exe. ThreatLabz reporting also describes internal modules including ti, rshell, ESAL, ESLDR, FIXED, LauncherLdr, tinystub, and AVDATA, with AVDATA containing a CRC32-based security-product process blocklist that can alter execution and persistence behavior.
Persistence mechanisms directly mentioned include scheduled tasks, Windows autorun keys, BITS jobs, and Startup-folder LNK shortcuts. One campaign established persistence with a scheduled task named WinSvcUpd at user logon. ThreatLabz also reported behavior changes when processes associated with security products such as Avast or AVG are present, including saving the current executable under a random filename in %AppData% and creating an LNK shortcut.
HijackLoader has been observed in multiple infection vectors and ecosystems: malvertising and repo-squatting abuse of GitHub Desktop downloads; fake browser update chains associated with ClearFake; ClickFix/GhostPulse delivery; trojanized installers; piracy/cracked software and Ren'Py-based game launchers; trojanized KMS activators; and malicious Steam games. In the Steam Chemia case, EncryptHub added HijackLoader, which downloaded Vidar. Reporting also links HijackLoader to campaigns targeting developers, gamers, and general Windows users, with infections observed across Europe, Japan, and other regions.
Associated actors or clusters mentioned in the content include EncryptHub, operators behind SnappyClient, and broader cybercrime distribution ecosystems involving ClickFix/FakeCAPTCHA, OffLoader, HIjackLoader/IDATLoader chains, and Amadey-based pay-per-install operations. ThreatLabz noted code and tradecraft similarities between HijackLoader and SnappyClient, suggesting a possible developer or operational link.
High-confidence indicators and artifacts mentioned in the content include the scheduled task name WinSvcUpd; use of KSPSService.exe, VoTransmitt.exe, sciter32.dll, dbghelp.dll, vssapi.dll, and pla.dll in execution chains; and module names/CRC32 identifiers such as AVDATA (0x78b783ca), ESAL (0x757c9405), ESLDR (0xe7794e15), FIXED (0x699d0c82), rshell (0x74984889), ti (0x3ee477f1), and tinystub (0x4eace798).
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The infrastructure graph generated from the correlation of indicators identified in the campaign reveals a complex network of relationships... through this, we note similarities with the already well-known “HijackLoader.”
“...EncryptHub added to the game files the HijackLoader malware (CVKRUTNP.exe), which establishes persistence on the victim device and downloads the Vidar infostealer (v9d9d.exe).”
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesTo amplify the campaign’s reach, threat actors leveraged sponsored advertisements promoting “GitHub Desktop” on search engines. The ads linked directly to the malicious commits using README anchors to bypass GitHub’s security warnings, targeting developers actively searching for the legitimate tool.
"EU/EEA-focused malvertising was observed... Targets users searching for developer tools"
Initial Access
5 techniquesThe attack started with a website that impersonated Telefónica... When a victim visits the page, a HijackLoader executable file is automatically downloaded on the victim’s system.
"Abusing Legitimate GitHub Repositories to Deliver Malware" ... "Attackers forked a legitimate repository and created a commit that modified the download links in the README."
"...concealment of illicit logic within the Ren'Py launchers of pirated versions of widely used games... Installing and launching the game triggers the execution of a hidden Python script..."
MITRE ATT&CK Mapping ... Initial Access Phishing T1566 ClickFix/FakeCAPTCHA social engineering
MITRE ATT&CK Mapping Tactic Technique ID Application Initial Access Spearphishing Link T1566.002 KMS piracy lure via freefugga.com
Execution
7 techniquesPersistence is established through a scheduled task named “WinSvcUpd” that executes whenever users log on.
The PowerShell stager adds Microsoft Defender exclusions for AppData, LocalAppData, and ProgramData directories, allowing subsequent payloads to execute undetected.
"...launching the game triggers the execution of a hidden Python script..."
"cmd.exe. It is created in suspended mode" / "launch a child process explorer.exe"
When a user landed on the page, it automatically downloaded a HijackLoader executable, which when run, decrypted and deployed SnappyClient on the victim machine.
The FBI is seeking to identify potential victims installing Steam games embedded with malware... several games have been identified to include, BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova.
Persistence
1 techniquePrivilege Escalation
3 techniquesPersistence is established through a scheduled task named “WinSvcUpd” that executes whenever users log on.
The infection leverages DLL sideloading and module stomping techniques, injecting shellcode into vssapi.dll to execute HijackLoader
Stealth
9 techniquesMITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files T1027 Multi-layer encryption across components
MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files: Software Packing T1027.002 LZMA-compressed NSIS installer in PE overlay
Threat actors have successfully exploited a design flaw in GitHub’s fork architecture to distribute malware disguised as the legitimate GitHub Desktop installer.
The infection leverages DLL sideloading and module stomping techniques, injecting shellcode into vssapi.dll to execute HijackLoader
"using the ZwCreateSection and ZwMapViewOfSection system API calls... loaded into the address space of the process" / "injects the payload into it by creating a shared memory region with the ZwMapViewOfSection call"
"payload is written to a temporary file on disk using the transaction mechanism... The transaction... is rolled back, thus deleting the temporary file"
Stage 4: Payload Decryption HijackLoader reads mfc110u.dll .rsrc section ... Processes Crock.elf (238 IDAT chunks) Decrypts 1.9MB of GhostPulse shellcode Reads Kroudroum.fvn (29KB encrypted config)
Defense Impairment
1 technique"dbghelp.dll system library is used as a 'container'... overwritten in memory with decrypted shellcode" / "overwrites the beginning of its code section with the received payload"
Credential Access
1 techniqueACRStealer is one of the many payloads that is used by HijackLoader. It seems to specifically target gamers, stealing data like Steam logins.
Discovery
1 techniqueCommand and Control
1 techniqueMITRE ATT&CK Mapping ... Command and Control Ingress Tool Transfer T1105 Amadey downloads 50+ payloads to infected hosts
Other
1 techniqueIOCs tracked for this family
53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a known loader whose infrastructure/TTPs appear similar to the campaign under analysis. The report does not directly confirm its deployment, only similarity.
HijackLoader is used as the delivery mechanism for SnappyClient. In the observed campaigns, it is downloaded from a fake Telefónica-themed site, then decrypts and loads SnappyClient. The report also notes code similarities between HijackLoader and SnappyClient, including direct system calls, 64-bit ntdll mapping, and transacted hollowing-related techniques.
A modular malware loader used to deliver and execute payloads on compromised systems. The article says it has multiple modules and has been used to distribute SnappyClient as well as other malware families.
A malware loader used to download and install secondary payloads, specifically Vidar in this campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.