HomeWinBuzzer NewsHijackLoader: The New Modular Malware Loader on the Block

HijackLoader: The New Modular Malware Loader on the Block

HijackLoader utilizes a variety of malware modules for code injection and execution


HijackLoader has emerged as a new malware loader that's been gaining traction in recent months. Its modular architecture sets it apart from other malware loaders, allowing it to utilize a variety of modules for code injection and execution. This capability has made it a preferred choice for loading various malware families, including Danabot, SystemBC, and RedLine Stealer.

Its rising popularity suggests that might increasingly adopt it, potentially filling the gap left by malware like Emotet and Qakbot. As always, staying vigilant and updated on such threats is crucial for maintaining .

Technical Insights and Key Findings

Zscaler's ThreatLabz first observed HijackLoader in July 2023. The loader has been instrumental in dropping multiple malware families, amplifying its potential threat. One of its distinctive features is its use of syscalls to dodge monitoring from security solutions. It also detects specific processes based on an embedded blocklist and can delay code execution at different stages.

HijackLoader's embedded modules offer flexible code injection and execution, a feature that's not common among traditional loaders. The malware's modular design allows it to be versatile, adapting to various tasks and evading detection more effectively.

How HijackLoader Works

Upon execution, HijackLoader initiates by determining if the final payload is embedded in the binary or if it needs to be downloaded from an external server. It includes an encrypted configuration that stores various information, such as Windows API hashes for dynamic loading and parameters for several Windows API functions.

The malware employs several anti-analysis techniques, including dynamic loading of Windows API functions using a custom API hashing technique. It also performs an HTTP connectivity test to a legitimate website, like Mozilla, and delays code execution at different stages based on the presence of specific processes.

HijackLoader's modules aid in the code injection and execution process of the final payload. These modules have been identified by ThreatLabz, with each having specific functionalities. For instance, the AVDATA module contains a blocklist of security products' process names, while the ESLDR module assists with code injection of the main instrumentation shellcode.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.

Recent News