Security researchers have spotted a new variant of the HijackLoader malware loader first identified in 2023.

HijackLoader is a modular malware loader that is used to deliver second stage payloads including Amadey, Lumma Stealer, Racoon Stealer v2, and Remcos RAT. HijackLoader has additional features like dynamic API resolution, blocklist process checking, and user mode hook evasion using Heaven's Gate.

The updated version of HijackLoader implements several features aimed at bolstering its stealthiness and prolonging its undetected presence on infected systems. Among the notable additions are modules designed to bypass Windows Defender Antivirus, circumvent User Account Control (UAC), evade inline API hooking commonly used by security software, and utilize process hollowing techniques.

HijackLoader’s delivery method involves the use of a PNG image, which is decrypted and parsed to load the subsequent stage of the attack. A similar tactic was previously seen in a February 2024 campaign targeting Ukrainian entities based in Finland with a commercial remote access trojan (RAT) known as Remcos RAT. The attackers utilized a malware loader dubbed IDAT Loader and steganography to evade detection and compromise systems.

According to Zscaler, the initial stage of HijackLoader is responsible for extracting and launching the second stage from the embedded or separately downloaded PNG image, depending on the malware's configuration. The second stage primarily focuses on injecting the main instrumentation module while employing advanced anti-analysis techniques to evade detection.