The HijackLoader malware has recently undergone updates to enhance its defense evasion techniques, making it more difficult to analyze and detect [4]. This article provides a detailed description of the new techniques employed by the malware and highlights the potential implications for security researchers and organizations.


The HijackLoader malware has incorporated new defense evasion techniques [1] [2] [4], further enhancing its stealthiness and resilience. In addition to its existing methods of process hollowing and process doppelgänging, the malware now utilizes transacted hollowing to deliver additional payloads and tools. It also employs the Heaven’s Gate technique to bypass user-mode hooks and injects shellcode into cmd.exe [2]. These new techniques aim to improve the malware’s persistence and longevity within a system.

The threat actors behind the HijackLoader malware have developed a novel defense evasion technique by combining a standard process hollowing technique with an additional trigger activated by the parent process writing to a pipe [1] [4]. This approach has the potential to make defense evasion even more stealthy [1]. HijackLoader takes several benign actions before assembling itself into a fully functional piece of malware [3], enabling it to evade detection by standard antivirus products [3]. This gradual build-up allows malicious actors to carry out prolonged campaigns and potentially cause more damage [3].

The malware developer closely monitors the development and evolution lifecycles of commercial products, regularly introducing new evasion techniques to stay ahead of endpoint detection and response (EDR) and antivirus products [3]. It is important to note that the HijackLoader malware is operated by the same cybercrime group as the IDAT Loader, both of which are used to distribute various types of malware and tools. These new techniques represent an experimental evolution of the malware’s defense evasion capabilities [2], further complicating the analysis process for researchers.

HijackLoader is increasingly being utilized by other threat actors to deliver additional payloads and tools [1]. It has been propagated via ClearFake and used to distribute Remcos RAT and SystemBC through phishing messages [4]. The attack chain begins with an executable that checks for an internet connection and downloads a second-stage configuration [4]. The executable then loads a legitimate DLL specified in the configuration to activate shellcode responsible for launching the HijackLoader payload using process doppelgänging and process hollowing techniques [4]. The malware also employs a process injection mechanism called transacted hollowing and utilizes the Heaven’s Gate technique to bypass user-mode hooks [4]. These new defense evasion techniques aim to make HijackLoader more challenging to analyze and detect by traditional security solutions [4].


The updated defense evasion techniques employed by the HijackLoader malware pose significant challenges for security researchers and organizations. The enhanced stealthiness and resilience of the malware make it more difficult to analyze and detect, potentially leading to prolonged campaigns and increased damage. Mitigating the threat posed by HijackLoader requires a comprehensive understanding of its evolving techniques and the implementation of advanced security measures. As the malware developer continues to introduce new evasion techniques, it is crucial for security professionals to stay vigilant and adapt their defenses accordingly.