HijackLoader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hijackloader (Back to overview)

HijackLoader

aka: GHOSTPULSE, IDAT Loader, SHADOWLADDER

According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.

References

2024-02-07 ⋅ CrowdStrike ⋅ Donato Onofri, Emanuele Calvelli
HijackLoader Expands Techniques to Improve Defense Evasion
HijackLoader

2023-12-30 ⋅ Rewterz Information Security ⋅ Rewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
HijackLoader Storm-1674

2023-12-18 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire
Innovation in Cyber Intrusions: The Evolution of TA544
HijackLoader

2023-12-07 ⋅ eSentire ⋅ eSentire
DanaBot's Latest Move: Deploying Latrodectus
DanaBot HijackLoader Unidentified 111 (Latrodectus)

2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar

2023-09-18 ⋅ Alpine Security ⋅ Borja Merino
HijackLoader Targets Hotels: A Technical Analysis
HijackLoader

2023-09-08 ⋅ Zscaler ⋅ Zscaler
Technical Analysis of HijackLoader
HijackLoader

2023-08-31 ⋅ Rapid7 Labs ⋅ Evan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT

There is no Yara-Signature yet.

HijackLoader Propose Change

References

HijackLoader