Hijack Loader Malware Evolves: New Evasion Tactics and Persistence Mechanisms

Listen to this Post

Cybersecurity researchers have identified an advanced version of Hijack Loader, a malware loader that now incorporates sophisticated techniques to bypass security measures and establish persistence in infected systems. Originally discovered in 2023, this loader is designed to deliver secondary payloads, such as data-stealing malware, while using multiple evasion strategies to avoid detection.

Recent findings from Zscaler ThreatLabz highlight the addition of call stack spoofing, a method that conceals the origin of function calls, making it harder for security tools to track the malware’s activity. Additionally, the malware now includes anti-virtual machine (anti-VM) checks to detect analysis environments and sandboxes, preventing cybersecurity researchers from effectively studying it.

The latest updates to Hijack Loader emphasize how malware developers continue refining their tools to make them stealthier and more resilient against modern security defenses. This discovery follows other notable malware campaigns, such as SHELBY malware, which exploits GitHub for command-and-control (C2) functions, and Emmenhtal loader, which delivers SmokeLoader using obfuscation techniques.

Key Developments in Hijack Loader

  • Call Stack Spoofing: A newly introduced module hides the true origin of API and system calls, similar to techniques used by the malware CoffeeLoader.
  • Anti-VM Checks: The malware can now detect if it’s running in a sandbox or analysis environment, helping evade detection.
  • Updated Blacklisted Processes: Hijack Loader now blocks processes like avastsvc.exe (a component of Avast Antivirus) to delay execution and avoid security software.
  • Heaven’s Gate Technique: Continues using this method to execute 64-bit syscalls, making detection more challenging.
  • Persistence via Scheduled Tasks: A new module (modTask) helps maintain a foothold on the infected system.

Hijack Loader’s Growing Threat

The use of legitimate code-signing certificates and the infamous ClickFix strategy for malware distribution shows that attackers are leveraging increasingly sophisticated methods. These tactics make it difficult for security researchers to detect and mitigate threats effectively.

SHELBY Malware: A New Threat Using GitHub for C2

Researchers at Elastic Security Labs have also uncovered a new malware family called SHELBY, which uses GitHub for its command-and-control (C2) infrastructure. The malware’s attack chain typically starts with phishing emails, tricking victims into downloading malicious files.

  • How It Works: A .NET binary executes a DLL loader (SHELBYLOADER), which communicates with a private GitHub repository to receive commands and exfiltrate data.
  • Stealth Features: Uses sandbox detection to avoid running in a virtualized analysis environment.
  • Unique C2 Mechanism: Instead of traditional C2 servers, it uses GitHub commits with a Personal Access Token (PAT), allowing attackers to control infected machines remotely.

This method presents a challenge for security teams, as GitHub is a widely trusted platform that attackers can abuse to bypass traditional detection mechanisms.

Emmenhtal Loader: Spreading SmokeLoader via Phishing Emails

Another recent campaign involves Emmenhtal loader (also known as PEAKLIGHT), which delivers SmokeLoader through phishing emails containing 7-Zip files.

– Key Features:

  • Uses .NET Reactor for obfuscation, preventing easy analysis.
  • Historically employed packers like Themida and Enigma Protector.
  • Targets users with payment-themed phishing lures to trick them into downloading malicious payloads.

This trend highlights how attackers are constantly refining their malware to evade detection and infect unsuspecting users.

What Undercode Say:

The emergence of Hijack Loader’s advanced evasion techniques underscores the growing sophistication of cyber threats. Attackers are continuously refining their tools to bypass detection, leveraging techniques like call stack spoofing and anti-VM checks. This makes it increasingly difficult for security teams to analyze and mitigate threats effectively.

Key Takeaways

  1. Evasion is the Priority: The adoption of call stack spoofing and anti-VM techniques proves that malware authors are prioritizing stealth over brute force attacks.
  2. Malware-as-a-Service (MaaS) Trend Continues: Hijack Loader’s modular design suggests that it is being developed and maintained as a service for cybercriminals, allowing easy adaptation to different attack scenarios.
  3. Legitimate Platforms Are Being Abused: The use of GitHub as a C2 infrastructure (as seen with SHELBY malware) demonstrates that attackers are shifting towards trusted platforms to avoid detection.
  4. Phishing Remains the Primary Attack Vector: Both SHELBY and Emmenhtal loaders highlight the importance of email security, as phishing remains the primary method for distributing malware.
  5. Security Software Must Adapt: Traditional antivirus and endpoint protection solutions need to evolve to detect these new stealth techniques effectively. Behavioral analysis and machine learning-based detection are crucial in identifying such threats.

The Bigger Picture

The cybersecurity landscape is in a constant battle between attackers and defenders. With malware authors focusing on stealth, persistence, and trusted infrastructure abuse, security teams must enhance their detection capabilities by focusing on behavioral analytics, AI-driven threat detection, and proactive threat hunting.

Organizations should also invest in user awareness training to reduce the risk of phishing attacks, which remain one of the primary infection vectors.

Fact Checker Results:

  1. Hijack Loader’s Call Stack Spoofing – Verified: The technique is used in multiple malware families, including CoffeeLoader, to avoid detection.
  2. GitHub as a C2 Platform – Verified: Researchers confirm that malware like SHELBY abuses GitHub repositories to exfiltrate data and receive commands.
  3. SmokeLoader’s Use of .NET Reactor – Verified: The obfuscation tool has been increasingly adopted by malware developers to evade security solutions.

References:

Reported By: https://thehackernews.com/2025/04/new-malware-loaders-use-call-stack.html
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image