Security researchers have discovered an updated version of a malware load called Hijack Loader that implements innovative features to evade detection and build resilience on damaged systems.
” Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls ( e. g., API and system calls )”, Zscaler ThreatLabz researcher Muhammed Irfan V A in an analysis. ” Hijack Loader added a new unit to perform anti-VM checks to find malware study situations and firewalls”.
Hijack Loader, initially discovered in 2023, offers the ability to provide second-stage cargo such as data stealer malware. It also comes with a multitude of components to bypass security applications and inject malicious code. Hijack Loader is tracked by the broader security society under the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, HarfangLab and Elastic Security Labs extensive Hijack Load campaigns that utilized genuine code-signing certificates as well as the renowned ClickFix method for distributing the malware.
The latest incarnation of the load comes with a number of improvements over its predecessor, the most notable being the addition of telephone load spoofing as an evasion tactic to conceal the origin of API and system calls, a method late even embraced by another malware loader known as .
” This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones”, Zscaler said.
As with previous versions, the Hijack Loader leverages the to execute 64-bit direct syscalls for process injection. Other changes include a revision to the list of blocklisted processes to include “avastsvc. exe”, a component of Avast Antivirus, to delay execution by five seconds.
The malware also incorporates two new modules, namely ANTIVM for detecting virtual machines and modTask for setting up persistence via scheduled tasks.
The findings show that Hijack Loader continues to be actively maintained by its operators with an intent to complicate analysis and detection.
SHELBY Malware Uses GitHub for Command-and-Control
The development comes as Elastic Security Labs detailed a new malware family dubbed SHELBY that uses GitHub for command-and-control ( C2 ), data exfiltration, and remote control. The activity is being tracked as REF8685.
The attack chain involves the use of a phishing email as a starting point to distribute a ZIP archive containing a.NET binary that’s used to execute a DLL loader tracked as SHELBYLOADER ( “HTTPService. dll” ) via DLL side-loading. The email messages were delivered to an Iraq-based telecommunications firm through a highly targeted phishing email sent from within the targeted organization.
The loader subsequently initiates communications with GitHub for C2 to extract a specific 48-byte value from a file named” License. txt” in the attackers-controlled repository. The value is then used to generate an AES decryption key and decipher the main backdoor payload ( “HTTPApi. dll” ) and load it into memory without leaving detectable artifacts on disk.
” SHELBYLOADER utilizes sandbox detection techniques to identify virtualized or monitored environments”, Elastic . ” Once executed, it sends the results back to C2. These results are packaged as log files, detailing whether each detection method successfully identified a sandbox environment”.
The SHELBYC2 backdoor, for its part, parses commands listed in another file named” Command. txt” to download/upload files from/to a GitHub repository, load a.NET binary reflectively, and run PowerShell commands. What’s notable here is the C2 communication occurs through commits to the private repository by making use of a Personal Access Token ( PAT ).
” The way the malware is set up means that anyone with the PAT ( Personal Access Token ) can theoretically fetch commands sent by the attacker and access command outputs from any victim machine”, the company said. ” This is because the PAT token is embedded in the binary and can be used by anyone who obtains it”.
Emmenhtal Spreads SmokeLoader via 7-Zip Files
Phishing emails bearing payment-themed lures have also been observed delivering a malware loader family codenamed loader (aka PEAKLIGHT), which acts as a conduit to deploy another malware known as .
” One notable technique observed in this SmokeLoader sample is the use of.NET Reactor, a commercial.NET protection tool used for obfuscation and packing”, GDATA .
” While SmokeLoader has historically leveraged packers like Themida, Enigma Protector, and custom crypters, the use of.NET Reactor aligns with trends seen in other malware families, particularly stealers and loaders, due to its strong anti-analysis mechanisms”.