Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

HijackLoader

50
Global rank
36 infographic chevron month
Month rank
56 infographic chevron week
Week rank
0
IOCs

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Loader
Type
Unknown
Origin
1 July, 2023
First seen
20 December, 2024
Last seen

How to analyze HijackLoader with ANY.RUN

Type
Unknown
Origin
1 July, 2023
First seen
20 December, 2024
Last seen

IOCs

IP addresses
194.120.116.197
139.99.16.105
144.76.154.59
185.172.128.212
Domains
complainnykso.shop
proffoduwnuq.shop
vozmeatillu.shop
mobbipenju.store
bathdoomgaz.store
eaglepawnoy.store
potentioallykeos.shop
clearancek.site
deicedosmzj.shop
arriveoxpzxo.shop
applyzxcksdia.shop
preachstrwnwjw.shop
licendfilteo.site
gutterydhowi.shop
stogeneratmns.shop
charecteristicdxp.shop
interactiedovspm.shop
conformfucdioz.shop
weiggheticulop.shop
replacedoxcjzp.shop
Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 217
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 311
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1118
comments 0

What is HijackLoader malware?

HijackLoader is a loader malware that possesses strong evasion capabilities, allowing it to bypass mainstream security solutions. It has been observed to deliver numerous persistent malware families, such as DanaBot and the RedLine stealer.

Most of the known attacks involving HijackLoader began with phishing emails. As of the end of 2023, it continues to be an active threat. The modular design of the malware is one of the key factors behind its popularity. It enables HijackLoader to ensure a more flexible approach to deployment on the infected system and further execution of the final payloads.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the HijackLoader malicious software

HijackLoader is notorious for its ability to evade detection. One way it does this is by utilizing a modified Windows C Runtime (CRT) function to gain a foothold on the device.

During the initial stage, HijackLoader also ascertains whether the final payload is embedded in the binary or has to be downloaded from external sources. It does this through the use of an array of DWORD values.

It can also check if the device is connected to the Internet by attempting to connect to legitimate websites. The network connectivity check is a clever strategy that allows HijackLoader to remain undetected while the network is unavailable. In a similar fashion, the malware can delay the execution of different parts of its code to once again avoid early detection.

To make it more difficult for reverse engineers to analyze its code, the malware uses dynamic API loading via a custom hashing method. This makes it harder to locate the specific API calls used during execution.

HijackLoader’s AVDATA module is designed specifically for the purpose of identifying security software installed on the system and adjusting its operation depending on the results of its scanning.

Execution process of HijackLoader

Let’s take a closer look at the execution flow of a HijackLoader sample by uploading it to the ANY.RUN sandbox.

HijackLoader is a typical loader, and its execution flow is also straightforward and simple. This simplicity allows malware to remain less active inside infected systems, making it more challenging to detect. However, it can still attract attention in certain cases.

In our example, the loader leveraged the CMD utility to stay under the radar. It, in turn, initiates the MSBuild process, which downloads and runs the Phonk which downloads the miner. HijackLoader demonstrates evasion capabilities that aid in staying undetected by certain security solutions.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

HijackLoader process tree shown in ANY.RUN HijackLoader's process tree demonstrated in ANY.RUN

Distribution methods of the HijackLoader malware

The preferred method of infiltration among the attackers behind HijackLoader is phishing attacks, where cybercriminals craft emails that appear to be from legitimate sources, hoping to trick recipients into opening malicious attachments or clicking on infected links.

In one notable instance, hotels were targeted with emails from fake clients claiming to be staying at the hotel and requesting staff to download a file containing information on their allergy. Once opened, the file kickstarted the infection chain resulting in the deployment of HijackLoader on the victim’s device.

Conclusion

Keeping your infrastructure safe from a HijackLoader infection requires a proactive cybersecurity approach. An indispensable part of it is a reliable malware analysis sandbox like ANY.RUN.

With ANY.RUN, you can example incoming emails to determine any malicious intent behind them with ease. The service’s interactive cloud environment enables you to effectively investigate even the most intricate phishing campaigns and uncover multi-stage attacks in no time. The service delivers comprehensive text reports encompassing detailed information about the submitted files and links, including fresh IOCs.

Adopt a proactive cybersecurity approach by leveraging ANY.RUN.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More