Evolving Threat: Hijack Loader’s New Evasion Techniques
Cybersecurity researchers have identified an advanced version of the malware loader Hijack Loader, incorporating enhanced stealth mechanisms to bypass detection and maintain persistence on infected systems.
Key Enhancements in the Latest Version:
- Call Stack Spoofing – Obscures the source of function calls (API and system calls) to evade analysis.
- Anti-VM Checks – Detects malware analysis environments and security sandboxes to prevent detection.
- Bypassing Security Software – Expands blocklisted processes to include antivirus components, such as avastsvc.exe.
- Persistence Mechanisms – Uses scheduled tasks via the new modTask module to maintain long-term system access.
Initially discovered in 2023, Hijack Loader (also known as DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER) is designed to deploy secondary payloads, such as information stealers and trojans. Security reports indicate that this loader is under active development, with ongoing modifications aimed at avoiding detection and complicating security analysis.
Call Stack Spoofing: A Growing Trend in Malware
The latest version of Hijack Loader adopts call stack spoofing, a technique used by other advanced malware like CoffeeLoader. This method fabricates stack frames to conceal the presence of malicious calls, making it difficult for security tools to track execution flow.
Additionally, the loader employs Heaven’s Gate, a known technique for executing 64-bit direct syscalls to facilitate process injection, further increasing its ability to evade security solutions.
SHELBY Malware: Leveraging GitHub for C2 Communication
Alongside Hijack Loader, researchers have uncovered a new malware family, SHELBY, which uses GitHub as a command-and-control (C2) server for data exfiltration and remote administration. This malware, tracked as REF8685, follows a multi-stage infection process:
- Phishing Attack – A targeted email delivers a ZIP file containing a .NET binary, which executes a DLL loader (SHELBYLOADER).
- GitHub-Based C2 – The loader retrieves encryption keys and payloads from attacker-controlled repositories.
- Sandbox Evasion – SHELBYLOADER detects virtualized environments before executing malicious actions.
- Command Execution via GitHub – The backdoor (SHELBYC2) fetches commands from a private GitHub repository, allowing attackers to upload/download files, execute PowerShell scripts, and reflectively load .NET binaries.
Notably, Personal Access Tokens (PATs) embedded in the malware enable unauthorized access to the attacker’s command logs, making it possible for other parties to extract sensitive information from compromised machines.
Emmenhtal Loader: SmokeLoader’s New Delivery Mechanism
Another emerging threat is Emmenhtal Loader (aka PEAKLIGHT), which is being used to distribute the SmokeLoader malware. Attackers are employing payment-themed phishing emails to deliver 7-Zip compressed payloads containing the loader.
A standout feature of this campaign is the use of .NET Reactor, a commercial obfuscation tool designed to protect .NET applications from reverse engineering. Historically, SmokeLoader has leveraged other packers, such as Themida and Enigma Protector, but the shift to .NET Reactor aligns with broader malware trends favoring stronger anti-analysis mechanisms.
Strengthening Cyber Defenses Against Malware Loaders
Given the increasing sophistication of malware loaders, organizations must implement proactive defense strategies:
- Behavior-Based Threat Detection – Monitor system behavior for indicators of compromise, such as unusual API calls and process injections.
- Threat Intelligence Integration – Leverage security feeds to track evolving malware families and emerging attack techniques.
- Endpoint Protection & Sandboxing – Deploy advanced endpoint security solutions with anti-evasion capabilities to detect virtual machine-aware malware.
- GitHub Repository Monitoring – Keep track of suspicious repositories and credentials that could be misused for C2 communication.
As malware loaders continue evolving, adopting a multi-layered cybersecurity approach is essential for mitigating risks and maintaining a resilient security posture.
