SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hijackloader (Back to overview)

HijackLoader

aka: DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER

According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.

References
2024-10-19ElasticSalim Bitam
Tricks and Treats: GHOSTPULSE’s new pixel- level deception
HijackLoader
2024-08-15KasperskyAbdulRhman Alfaifi, Elsayed Elrefaei
Tusk campaign uses infostealers and clippers for financial gain
DanaBot HijackLoader Stealc
2024-07-29loginsoftSaharsh Agrawal
Blue Screen Mayhem: When CrowdStrike's Glitch Became Threat Actor's Playground
Daolpu HijackLoader Remcos
2024-06-24KrollDave Truman
Novel Technique Combination Used In IDATLOADER Distribution
Emmenhtal HijackLoader
2024-06-17ProofpointProofpoint
From Clipboard to Compromise: A PowerShell Self-Pwn
DarkGate HijackLoader Lumma Stealer Matanbuchus NetSupportManager RAT TA571
2024-06-17TrellixAlejandro Houspanossian
Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion
HijackLoader Lumma Stealer
2024-05-06ZscalerMuhammed Irfan V A
HijackLoader Updates
HijackLoader
2024-02-07CrowdStrikeDonato Onofri, Emanuele Calvelli
HijackLoader Expands Techniques to Improve Defense Evasion
HijackLoader
2023-12-30Rewterz Information SecurityRewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
HijackLoader Storm-1674
2023-12-18YoroiCarmelo Ragusa, Luigi Martire
Innovation in Cyber Intrusions: The Evolution of TA544
HijackLoader
2023-12-07eSentireeSentire
DanaBot's Latest Move: Deploying Latrodectus
DanaBot HijackLoader Latrodectus
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-09-18Alpine SecurityBorja Merino
HijackLoader Targets Hotels: A Technical Analysis
HijackLoader
2023-09-08ZscalerZscaler
Technical Analysis of HijackLoader
HijackLoader
2023-08-31Rapid7 LabsEvan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT
Yara Rules
[TLP:WHITE] win_hijackloader_w0 (20241021 | No description)
rule win_hijackloader_w0 {

    meta:
        author = "Elastic Security"
        id = "a1311f49-65a7-4136-a5ab-28cf4de4d40f"
        fingerprint = "e07a8152ab75624aa8dd0a8301d690a6a4bdd3b0e069699632541fb6a32e419b"
        creation_date = "2023-10-06"
        last_modified = "2023-10-26"
        threat_name = "Windows.Trojan.GhostPulse"
        reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks"
        reference_sample = "0175448655e593aa299278d5f11b81f2af76638859e104975bdb5d30af5c0c11"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader"
        malpedia_rule_date = "20241021"
        malpedia_hash = ""
        malpedia_version = "20241021"
        malpedia_license = "Elastic License v2"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = { 0F BE 00 48 0F BE C0 85 C0 74 0D B8 01 00 00 00 03 45 00 89 45 00 EB E1 8B 45 00 48 8D 65 10 5D C3 }
        $a2 = { 88 4C 24 08 48 83 EC 18 0F B6 44 24 20 88 04 24 0F BE 44 24 20 83 F8 41 7C 13 0F BE 04 24 83 F8 5A 7F 0A 0F BE 04 24 83 C0 20 88 04 24 }
    condition:
        any of them
}
[TLP:WHITE] win_hijackloader_w1 (20241021 | No description)
rule win_hijackloader_w1 {
    meta:
        author = "Elastic Security"
        id = "3fe1d02d-5de3-42df-8389-6a55fc2b8afd"
        fingerprint = "18aed348ba64bee842fb6af3b3220e108052a67f49724cf34ba52c8ec7c15cac"
        creation_date = "2023-10-12"
        last_modified = "2023-10-26"
        threat_name = "Windows.Trojan.GhostPulse"
        reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader"
        malpedia_rule_date = "20241021"
        malpedia_hash = ""
        malpedia_version = "20241021"
        malpedia_license = "Elastic License v2"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = { 48 89 5C 24 08 48 89 7C 24 10 8B DA 45 33 D2 48 8B F9 41 2B D9 74 50 4C 8B D9 4C 2B C1 0F 1F 00 33 C9 }
    condition:
        all of them
}
[TLP:WHITE] win_hijackloader_w2 (20241021 | No description)
rule win_hijackloader_w2 {
    meta:
        author = "Elastic Security"
        id = "3673d337-218b-4ea8-93f5-ecbc6fe51885"
        fingerprint = "0b46a0e04ab2ca2760b2ace397a09b681bc6c0da5581c3f0f5cdb1a60f307a15"
        creation_date = "2023-12-11"
        last_modified = "2024-01-12"
        threat_name = "Windows.Trojan.GhostPulse"
        reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks"
        reference_sample = "3013ba32838f6d97d7d75e25394f9611b1c5def94d93588f0a05c90b25b7d6d5"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader"
        malpedia_rule_date = "20241021"
        malpedia_hash = ""
        malpedia_version = "20241021"
        malpedia_license = "Elastic License v2"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $IDAT_parser_x86 = { 80 F9 3F 75 ?? 38 54 1E 02 74 ?? 80 FA 3F 75 ?? 38 6C 1E 03 74 ?? 80 FD 3F 75 ?? 8A 74 24 04 38 74 1E 04 }
        $IDAT_parser_x64 = { 80 FB 3F 0F 94 44 24 27 3C 3F 0F 94 44 24 30 40 80 FF 3F 0F 94 44 24 31 41 80 FD 3F 0F 94 44 24 32 41 80 FC 3F 0F 94 44 24 33 }
    condition:
        any of them
}
[TLP:WHITE] win_hijackloader_w3 (20241021 | No description)
rule win_hijackloader_w3 {
    meta:
        author = "Elastic Security"
        id = "9e22c56d-91bf-4259-8b60-aa7323b5e8f9"
        fingerprint = "5e9883ad58fee79960a6e5e3c266885c6dc72057a16f4ea0e371088571e9b663"
        creation_date = "2024-07-21"
        last_modified = "2024-07-26"
        threat_name = "Windows.Trojan.GhostPulse"
        reference_sample = "349b4dfa1e93144b010affba926663264288a5cfcb7b305320f466b2551b93df"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader"
        malpedia_rule_date = "20241021"
        malpedia_hash = ""
        malpedia_version = "20241021"
        malpedia_license = "Elastic License v2"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = { C7 44 24 28 80 3C 36 FE C7 44 24 2C FF FF FF FF 53 6A 00 }
        $b = { 80 7C 24 04 3F ?? ?? 8A 74 24 08 38 74 1E 05 8A 6C 24 10 ?? ?? 80 7C 24 08 3F }
        $c = { 89 41 5C 8B 44 24 ?? 8B 80 04 01 00 00 89 44 24 ?? 8B 42 3C 8B 44 02 78 8B 4C 02 20 01 D1 89 4C 24 ?? 8B 4C 02 1C 89 4C 24 ?? 8B 44 02 24 89 44 }
    condition:
        any of them
}
[TLP:WHITE] win_hijackloader_w4 (20241021 | No description)
rule win_hijackloader_w4 {
    meta:
        author = "Elastic Security"
        id = "8ae8310b-4ead-4b5c-be73-7db365470891"
        fingerprint = "61213fd4ce9ddebdc7de8e6b23827347af3cbddd61254f95917e9af6b8a2b7b2"
        creation_date = "2024-05-27"
        last_modified = "2024-06-12"
        threat_name = "Windows.Trojan.GhostPulse"
        reference_sample = "5b64f91b41a7390d89cd3b1fccf02b08b18b7fed17a43b0bfac63d75dc0df083"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader"
        malpedia_rule_date = "20241021"
        malpedia_hash = ""
        malpedia_version = "20241021"
        malpedia_license = "Elastic License v2"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = { 48 8B 84 24 ?? 0D 00 00 8B 40 14 0F BA E8 09 48 8B 8C 24 ?? 0D 00 00 89 41 14 48 8B 84 24 ?? 0D 00 00 48 8B 8C 24 ?? 05 00 00 48 89 88 C0 ?? 00 00 }
        $b = { BA C8 90 F0 B2 48 8B ?? ?? ?? E8 ?? ?? ?? 00 48 89 ?? ?? ?? 07 00 00 BA 9C 6C DA DC 48 8B ?? ?? ?? E8 ?? ?? ?? 00 48 89 ?? ?? ?? 07 00 00 BA 8D 20 4A A1 48 8B ?? ?? ?? E8 ?? ?? ?? 00 48 89 ?? ?? ?? 07 00 00 BA D4 7C 1A A8 }
    condition:
        any of them
}
Download all Yara Rules