{"id":7806,"date":"2024-05-20T11:11:50","date_gmt":"2024-05-20T11:11:50","guid":{"rendered":"\/cybersecurity-blog\/?p=7806"},"modified":"2024-05-20T11:17:38","modified_gmt":"2024-05-20T11:17:38","slug":"new-hijackloader-version","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/","title":{"rendered":"New Hijack Loader Variant: Uses Process Hollowing, Has Enhanced Anti-Evasion Capabilities"},"content":{"rendered":"\n<p>There\u2019s a <a href=\"https:\/\/thehackernews.com\/2024\/05\/hijack-loader-malware-employs-process.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">new version of Hijack Loader active in the wild<\/a>, and it received updated anti-evasion capabilities.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s happening?&nbsp;<\/h2>\n\n\n\n<p>Security researchers found a new version of <a href=\"https:\/\/any.run\/malware-trends\/hijackloader\" target=\"_blank\" rel=\"noreferrer noopener\">Hijack Loader<\/a>, which decrypts and parses a PNG image to load its second stage payload.\u00a0 \u00a0<\/p>\n\n\n\n<p>This second stage features a modular architecture, with its primary aim being the injection of the main instrumentation module.&nbsp;<\/p>\n\n\n\n<p>To enhance stealth, the malware:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoids inline API hooking, a common technique used by security software to detect threats.&nbsp;<\/li>\n\n\n\n<li>Adds an exclusion for Windows Defender antivirus.&nbsp;<\/li>\n\n\n\n<li>Bypasses User Account Control (UAC). &nbsp;<\/li>\n\n\n\n<li>Uses process hollowing.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In all, security researchers spotted seven new modules in March and April 2024.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is HijackLoader\u00a0<\/h2>\n\n\n\n<p>Hijack Loader, also known as IDAT Loader, appeared in September 2023. It&#8217;s been growing in popularity ever since. Today, Hijack is one of the most widely used loaders.&nbsp;<\/p>\n\n\n\n<p>This malware currently ranks 6th most detected in the <a href=\"https:\/\/any.run\/malware-trends\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Trends Tracker<\/a>. We calculate this ranking by analyzing public sandbox submissions.&nbsp;<\/p>\n\n\n\n<p>The card below shows payloads Hijack Loader delivers:\u00a0<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">Common Hijack Loader payloads<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li><a href=\"https:\/\/any.run\/malware-trends\/amadey\" target=\"_blank\" rel=\"noopener\">Amadey<\/a><\/li>\n      <li><a href=\"https:\/\/any.run\/malware-trends\/lumma\" target=\"_blank\" rel=\"noopener\">Lumma Stealer<\/a><\/li>\n      <li>Meta Stealer<\/li>\n<li><a href=\"https:\/\/any.run\/malware-trends\/raccoon\" target=\"_blank\" rel=\"noopener\">Raccoon Stealer V2<\/a><\/li>\n<li><a href=\"https:\/\/any.run\/malware-trends\/remcos\" target=\"_blank\" rel=\"noopener\">Remcos RAT<\/a><\/li>\n<li><a href=\"https:\/\/any.run\/malware-trends\/rhadamanthys\" target=\"_blank\" rel=\"noopener\">Rhadamanthys<\/a><\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<p>(<a href=\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read our Raccoon Stealer 2.0 technical analysis<\/a>) &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detecting Hijack Loader in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_hijackloader_version&amp;utm_term=200524&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a> can detect HijackLoader by YARA. The screenshot below shows an analysis session of the <a href=\"https:\/\/app.any.run\/tasks\/8c02db0b-6194-4bd0-bd76-aed6946825e3\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=new_hijackloader_version&amp;utm_term=200524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">new Hijack Loader version<\/a>.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-1024x566.png\" alt=\"\" class=\"wp-image-7807\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-2048x1133.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/1-min-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Analyze Hijack Loader in ANY.RUN<\/figcaption><\/figure><\/div>\n\n\n<p>By analyzing the static file content, we can see that this sample targets both 32- and 64-bit versions of Windows:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-1024x564.png\" alt=\"\" class=\"wp-image-7808\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-1024x564.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-1536x846.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-2048x1127.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/2-740x407.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In this particular example, the second stage payload did not download because the C2 was already dead.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lates Hijack Loader IOCs&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ve collected the latest Hijack Loader IOCs from the Malware Trends Tracker. &nbsp;<\/p>\n\n\n\n<p>More artifacts can be found <a href=\"https:\/\/any.run\/malware-trends\/hijackloader\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>. They&#8217;re dynamically updated when someone creates a new public analysis session and uploads this malware to ANY.RUN.\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-95\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"95\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        IPs:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        185.215.113.67 <br>193.233.132.139\u00a0 <br> 185.172.128.76\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hashes:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        86BCCBACD8E9FDE23FF236155EE47F866DD7DD51C6129ED340034810A10705B3 <br> <br>0AE58BE8D7058E40926FDB51B76043D109B96B91AA9FA2950DBB8A3626185E0F\u00a0<br>\n<br>A38DA72082FC2DC1F60B3B245E1F2382D5F8C1D08EBC397DD0D81CC9F74EBBE6\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        URLs:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        mail.zoomfilms-cz[.]com\u00a0<br> discussiowardder[.]website\u00a0<br> wxt82[.]xyz\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-95'>\ntable#wpdtSimpleTable-95{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-95 td, table.wpdtSimpleTable95 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.\u00a0\u00a0\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect malware in under 40s<\/strong>: ANY.RUN detects malware within about 40 seconds of a file upload. It identifies prevalent malware families using YARA and Suricata rules and uses behavioral signatures to detect malicious actions when you encounter a new threat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interact with samples in real time<\/strong>: ANY.RUN is an interactive cloud sandbox powered by VNC, which means that you can do everything you could on a real system: browse webpages, click through installers, open password-protected archives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Save time and money on sandbox setup and maintenance<\/strong>: ANY.RUN\u2019s cloud-based nature eliminates the need for setup or maintenance by your DevOps team, making it a cost-effective solution for businesses.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Record and study all aspects of malware behavior<\/strong>: ANY.RUN provides a detailed analysis of malware behavior, including network traffic, system calls, and file system changes.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaborate with your team<\/strong>: easily share analysis results, or, as a senior team member, check work of junior analysts by viewing recordings of their analysis sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale as you need<\/strong>: as a cloud service, you can easily scale your team, simply by adding more licenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We&#8217;ll show you in an interactive presentation how ANY.RUN can help your security team.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Get a demo \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There\u2019s a new version of Hijack Loader active in the wild, and it received updated anti-evasion capabilities.\u00a0 What\u2019s happening?&nbsp; Security researchers found a new version of Hijack Loader, which decrypts and parses a PNG image to load its second stage payload.\u00a0 \u00a0 This second stage features a modular architecture, with its primary aim being the [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7810,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,40],"class_list":["post-7806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New HijackLoader: Process Hollowing &amp; Anti-Evasion Capabilities<\/title>\n<meta name=\"description\" content=\"Learn more about a new version of HijackLoader and its updated capabilities, including process hollowing, UAC bypass, and more.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vlad Ananin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\"},\"author\":{\"name\":\"Vlad Ananin\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"New Hijack Loader Variant: Uses Process Hollowing, Has Enhanced Anti-Evasion Capabilities\",\"datePublished\":\"2024-05-20T11:11:50+00:00\",\"dateModified\":\"2024-05-20T11:17:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\"},\"wordCount\":644,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware behavior\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\",\"name\":\"New HijackLoader: Process Hollowing & Anti-Evasion Capabilities\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-05-20T11:11:50+00:00\",\"dateModified\":\"2024-05-20T11:17:38+00:00\",\"description\":\"Learn more about a new version of HijackLoader and its updated capabilities, including process hollowing, UAC bypass, and more.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New Hijack Loader Variant: Uses Process Hollowing, Has Enhanced Anti-Evasion Capabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Vlad Ananin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g\",\"caption\":\"Vlad Ananin\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/vlad-ananin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New HijackLoader: Process Hollowing & Anti-Evasion Capabilities","description":"Learn more about a new version of HijackLoader and its updated capabilities, including process hollowing, UAC bypass, and more.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/","twitter_misc":{"Written by":"Vlad Ananin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/"},"author":{"name":"Vlad Ananin","@id":"https:\/\/any.run\/"},"headline":"New Hijack Loader Variant: Uses Process Hollowing, Has Enhanced Anti-Evasion Capabilities","datePublished":"2024-05-20T11:11:50+00:00","dateModified":"2024-05-20T11:17:38+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/"},"wordCount":644,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware behavior"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/","url":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/","name":"New HijackLoader: Process Hollowing & Anti-Evasion Capabilities","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-05-20T11:11:50+00:00","dateModified":"2024-05-20T11:17:38+00:00","description":"Learn more about a new version of HijackLoader and its updated capabilities, including process hollowing, UAC bypass, and more.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"New Hijack Loader Variant: Uses Process Hollowing, Has Enhanced Anti-Evasion Capabilities"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Vlad Ananin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g","caption":"Vlad Ananin"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/vlad-ananin\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7806"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7806"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7806\/revisions"}],"predecessor-version":[{"id":7817,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7806\/revisions\/7817"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7810"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}