Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems.
“Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls),” Zscaler ThreatLabz researcher Muhammed Irfan V A said in an analysis. “Hijack Loader added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes.”
Hijack Loader, first discovered in 2023, offers the ability to deliver second-stage payloads such as information stealer malware. It also comes with a variety of modules to bypass security software and inject malicious code. Hijack Loader is tracked by the broader cybersecurity community under the names DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, HarfangLab and Elastic Security Labs detailed Hijack Loader campaigns that leveraged legitimate code-signing certificates as well as the infamous ClickFix strategy for distributing the malware.
The latest iteration of the loader comes with a number of improvements over its predecessor, the most notable being the addition of call stack spoofing as an evasion tactic to conceal the origin of API and system calls, a method recently also embraced by another malware loader known as CoffeeLoader.
“This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones,” Zscaler said.
As with previous versions, the Hijack Loader leverages the Heaven’s Gate technique to execute 64-bit direct syscalls for process injection. Other changes include a revision to the list of blocklisted processes to include “avastsvc.exe,” a component of Avast Antivirus, to delay execution by five seconds.
The malware also incorporates two new modules, namely ANTIVM for detecting virtual machines and modTask for setting up persistence via scheduled tasks.
The findings show that Hijack Loader continues to be actively maintained by its operators with an intent to complicate analysis and detection.
SHELBY Malware Uses GitHub for Command-and-Control
The development comes as Elastic Security Labs detailed a new malware family dubbed SHELBY that uses GitHub for command-and-control (C2), data exfiltration, and remote control. The activity is being tracked as REF8685.
The attack chain involves the use of a phishing email as a starting point to distribute a ZIP archive containing a .NET binary that’s used to execute a DLL loader tracked as SHELBYLOADER (“HTTPService.dll”) via DLL side-loading. The email messages were delivered to an Iraq-based telecommunications firm through a highly targeted phishing email sent from within the targeted organization.
The loader subsequently initiates communications with GitHub for C2 to extract a specific 48-byte value from a file named “License.txt” in the attackers-controlled repository. The value is then used to generate an AES decryption key and decipher the main backdoor payload (“HTTPApi.dll”) and load it into memory without leaving detectable artifacts on disk.
“SHELBYLOADER utilizes sandbox detection techniques to identify virtualized or monitored environments,” Elastic said. “Once executed, it sends the results back to C2. These results are packaged as log files, detailing whether each detection method successfully identified a sandbox environment.”
The SHELBYC2 backdoor, for its part, parses commands listed in another file named “Command.txt” to download/upload files from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell commands. What’s notable here is the C2 communication occurs through commits to the private repository by making use of a Personal Access Token (PAT).
“The way the malware is set up means that anyone with the PAT (Personal Access Token) can theoretically fetch commands sent by the attacker and access command outputs from any victim machine,” the company said. “This is because the PAT token is embedded in the binary and can be used by anyone who obtains it.”
Emmenhtal Spreads SmokeLoader via 7-Zip Files
Phishing emails bearing payment-themed lures have also been observed delivering a malware loader family codenamed Emmenhtal loader (aka PEAKLIGHT), which acts as a conduit to deploy another malware known as SmokeLoader.
“One notable technique observed in this SmokeLoader sample is the use of .NET Reactor, a commercial .NET protection tool used for obfuscation and packing,” GDATA said.
“While SmokeLoader has historically leveraged packers like Themida, Enigma Protector, and custom crypters, the use of .NET Reactor aligns with trends seen in other malware families, particularly stealers and loaders, due to its strong anti-analysis mechanisms.”
