HijackLoader is a malware loader that has gained popularity among cybercriminals due to its modular structure and code injection capabilities [3]. It stands out from other loaders because of its ability to use different modules for code injection and execution [2]. This article explores the features and tactics employed by HijackLoader, as well as other information-stealing malware strains.


HijackLoader is known for its modular architecture, allowing it to utilize various modules for code injection and execution [2]. It employs evasion techniques [1] [2] [3], such as syscalls and process detection based on a blocklist [3], to avoid detection by security solutions [3]. Additionally, it utilizes anti-analysis features in its initial stage [3], such as dynamic loading of Windows functions and conducting an HTTP connectivity test before execution [3]. The initial access vector used by HijackLoader is currently unknown [1] [2]. To achieve persistence on compromised hosts [1] [2], HijackLoader creates a shortcut file in the Windows Startup folder [1] [2] [3]. Despite its unrefined code quality [3], HijackLoader is expected to see future improvements and increased usage by threat actors [3].

In addition to HijackLoader [1], other information-stealing malware strains have been discovered, including RisePro and a Node.js-based stealer [1]. These malware strains target sensitive information on infected machines and exfiltrate it to command-and-control servers [1]. Stealer infections serve as a primary attack vector for threat actors [1], and new stealer malware strains like Prysmax [1], a Python-based malware [1], are constantly being developed to maximize their impact and evade detection [1]. Prysmax focuses on disabling Windows Defender [1], manipulating its settings [1], and stealing data while evading security tools and analysis sandboxes [1]. Zscaler has shared Indicators of Compromise (IOCs) for HijackLoader [3], highlighting its modular nature and evasion tactics [3].


The emergence of malware loaders like HijackLoader, along with information-stealing malware strains, poses significant threats to cybersecurity. These malicious tools employ sophisticated techniques to evade detection and compromise sensitive information. It is crucial for organizations to implement robust security measures and stay updated on the latest threat intelligence to mitigate the risks posed by these malware strains. As threat actors continue to refine their tactics, it is expected that the usage of HijackLoader and similar malware will increase, emphasizing the need for ongoing research and proactive defense strategies.


[1] https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html
[2] https://vulners.com/thn/THN:6748EFDF6C9AD1C1418EDF90118615A9
[3] https://cybermaterial.com/hijackloader-malware-on-the-rise/