SnappyClient is a C++-based command-and-control implant/framework and remote-access trojan first reported in December 2025. It is associated with financially motivated activity, with reporting indicating cryptocurrency theft as a primary objective. ThreatLabz and Zscaler describe it as a stealthy post-compromise implant with multiple evasion techniques that support long-term remote access and data theft.
Observed delivery has been via HijackLoader, including a fake Telefónica/O2 website that automatically downloaded a HijackLoader executable and a ClickFix/GhostPulse-HijackLoader intrusion chain. In a June 2026 spear-phishing campaign targeting a small number of German financial institutions, a 7-Zip self-extracting archive themed as an urgent VPN software update used DLL side-loading and HijackLoader to deploy SnappyClient through an Opera-based side-load chain.
SnappyClient supports screenshot capture, keylogging, remote shell access, process management, file and directory operations, file execution, remote file browsing, browser profile cloning, and theft of data from applications, browsers, browser extensions, and other software. Reported browser targets include Chrome, Firefox, Edge, Brave, Opera, 360Browser, CocCoc, Slimjet, Vivaldi, and Waterfox. Reported extension targets include Coinbase, MetaMask, Phantom, TronLink, and TrustWallet. Reported cryptocurrency application targets include Atomic, BitcoinCore, Coinomi, Electrum, Exodus, LedgerLive, TrezorSuite, and Wasabi. It also supports reverse proxy capabilities for hidden FTP, VNC, RLOGIN, and SOCKS5 services.
The malware includes multiple anti-analysis and evasion features. Reported techniques include AMSI bypass via hooks on AmsiScanBuffer and AmsiScanString, direct system calls, 64-bit execution via Heaven’s Gate, process injection, and transacted hollowing. It can bypass Chromium App-Bound Encryption and cache the AES-256 master key. Persistence mechanisms reported include scheduled tasks, Windows autorun registry keys, and in one campaign a Startup shortcut named prompt_analyzer_debug.lnk plus a scheduled task file at C:\Windows\Tasks\socket_dispatcher_v2.job.
SnappyClient stores embedded JSON configuration data and can retrieve additional encrypted C2-delivered configuration files named EventsDB and SoftwareDB. EventsDB can define trigger conditions and actions such as clipboard replacement, screenshot capture, and clipboard exfiltration over HTTP. SoftwareDB defines software targets for theft. The malware specifically monitored clipboard content and wallet-related window titles for cryptocurrency-related activity, including terms such as binance, coinbase, exodus, and atomic wallet.
Command-and-control communications use a custom TCP binary protocol with Snappy compression and ChaCha20-Poly1305 encryption. After connection, the server sends a ChaCha20 key, nonce, and control session ID. Reporting identified use of TCP ports 3333 and 3334, and one analyzed C2 IP was 151.242.122.227. The first client registration message contains victim system information, malware version, installed software, antivirus products, and monitor details; one analyzed version reported itself as 0.1.11.
Reported indicators and artifacts include creation of C:\ProgramData\Mayanex\ and, in one analyzed chain, deployment into a legitimate host renamed %TEMP%\VirtualAr.exe. One analyzed Win32 sample had MD5 ec8258adfbf4ba5b9e8a06d75c5634cc, SHA-1 feb928a54be40ad4bbf245aaae6968f83b4937f5, and SHA-256 eb523f6b0f306ce9fb68adeadac41d2c25b720075f03c75bd3611584dee28cf9. Reporting also notes code and tradecraft similarities with HijackLoader, suggesting a possible developer or operational link.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
39 distinct techniques documented for this family, organized by ATT&CK tactic.
Victims usually meet a ClickFix prompt through phishing, malicious ads, or compromised websites.
Group-IB observed SilabRAT spreading through email spam and ClickFix social engineering. Victims usually meet a ClickFix prompt through phishing, malicious ads, or compromised websites.
It can also escalate privileges through a known UAC bypass and set up persistence via registry keys or scheduled tasks.
Attackers can use the implant to establish a remote shell on compromised systems for direct command-line access.
SnappyClient installs a trampoline hook on LoadLibraryExW and checks whether the process is loading amsi.dll.
It can also escalate privileges through a known UAC bypass and set up persistence via registry keys or scheduled tasks.
It can also escalate privileges through a known UAC bypass and set up persistence via registry keys or scheduled tasks.
Its author has teased plans to inject code into Electron-based apps, including the Ledger and Trezor wallet managers.
Vidar is decrypted in memory and injected, through process hollowing, into a clean, signed third-party application
It can also escalate privileges through a known UAC bypass and set up persistence via registry keys or scheduled tasks.
To bypass Chromium’s App-Bound Encryption... SnappyClient uses transacted hollowing... to inject a payload, which retrieves Chromium's AES_256 master key.
This is a standard way to keep recognizable strings like CreateFileW or VirtualProtect out of the binary
These configurations are written to disk encrypted using the ChaCha20 cipher... SnappyClient’s also contains an encrypted network configuration.
Its author has teased plans to inject code into Electron-based apps, including the Ledger and Trezor wallet managers.
From there, they can launch stealers, log keystrokes, watch the clipboard, or push more payloads.
The malware leans on session hijacking, too. As Group-IB explains, seizing an active session can bypass passwords and even multi-factor authentication.
From there, they can launch stealers, log keystrokes, watch the clipboard, or push more payloads.
Subsequently, SnappyClient sends an encrypted packet with the message header, followed by another packet containing the encrypted and compressed message.
The malware communicates with its C&C server using a custom binary protocol. The traffic is encrypted with ChaCha20-Poly1305 using a key and nonce received from the server, which are exchanged and validated before any control commands are sent or received.
Set up a reverse FTP proxy... reverse VNC proxy... reverse RLOGIN proxy... reverse SOCKS5 proxy... enabling the C2 to relay traffic through the victim machine.
The malware communicates with its C&C server using a custom binary protocol.
From there, they can launch stealers, log keystrokes, watch the clipboard, or push more payloads.
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealthy RAT delivered in the campaign's second parallel infection chain. It is unpacked by a second HijackLoader path, hollowed into a legitimate host process, communicates with C2 over ports 3333/3334, and establishes persistence via a Startup shortcut and scheduled task.
A command-and-control implant used for crypto wallet targeting.
Mentioned only as a C2 implant targeting crypto wallets; no further details are provided in the content.
A C++ malware family that communicates with its command-and-control server over a custom binary TCP protocol, using ChaCha20-Poly1305 encryption with server-provided key and nonce. It sends encrypted and compressed client-to-server reporting packets over ports 3333/3334.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.