SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hijackloader (Back to overview)

HijackLoader

aka: GHOSTPULSE, IDAT Loader, SHADOWLADDER

According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.

References
2024-02-07CrowdStrikeDonato Onofri, Emanuele Calvelli
HijackLoader Expands Techniques to Improve Defense Evasion
HijackLoader
2023-12-30Rewterz Information SecurityRewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
HijackLoader
2023-12-18YoroiCarmelo Ragusa, Luigi Martire
Innovation in Cyber Intrusions: The Evolution of TA544
HijackLoader
2023-12-07eSentireeSentire
DanaBot's Latest Move: Deploying Latrodectus
DanaBot HijackLoader Unidentified 111 (Latrodectus)
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-09-18Alpine SecurityBorja Merino
HijackLoader Targets Hotels: A Technical Analysis
HijackLoader
2023-09-08ZscalerZscaler
Technical Analysis of HijackLoader
HijackLoader
2023-08-31Rapid7 LabsEvan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT

There is no Yara-Signature yet.