SnappyClient (Malware Family)

SnappyClient

VTCollection

According to Zscaler, SnappyClient was first observed in December 2025. It is a C++-based C2 implant with the ability to steal data and provide remote access. SnappyClient employs multiple evasion techniques to hinder endpoint security detection, including an Antimalware Scan Interface (AMSI) bypass, as well as implementing Heaven’s Gate, direct system calls, and transacted hollowing. SnappyClient receives two configuration files from the C2 server, which contain a list of actions to perform when a specified condition is met, along with another that specifies applications to target for data theft. SnappyClient uses a custom network communication protocol that encrypts all network communication using ChaCha20-Poly1305.

References

2026-03-23 ⋅ Netomize ⋅ Mohamad Mokbel
Detect SnappyClient C&C Traffic Using PacketSmith + Yara-X Detection Module
SnappyClient

2026-03-18 ⋅ Zscaler ⋅ Muhammed Irfan V A
Technical analysis of SnappyClient
HijackLoader SnappyClient

Yara Rules

[TLP:WHITE] win_snappy_client_auto (20260504 | Detects win.snappy_client.)

rule win_snappy_client_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.snappy_client."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snappy_client"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb12 8d4608 8bcb 50 8d442414 50 e8???????? }
            // n = 7, score = 100
            //   eb12                 | jmp                 0x14
            //   8d4608               | lea                 eax, [esi + 8]
            //   8bcb                 | mov                 ecx, ebx
            //   50                   | push                eax
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { ff762c 894df8 ff15???????? 8bc8 83c408 85c9 751c }
            // n = 7, score = 100
            //   ff762c               | push                dword ptr [esi + 0x2c]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   83c408               | add                 esp, 8
            //   85c9                 | test                ecx, ecx
            //   751c                 | jne                 0x1e

        $sequence_2 = { eb06 ff75e0 ff7624 8b4e08 e8???????? 8b4e08 8b01 }
            // n = 7, score = 100
            //   eb06                 | jmp                 8
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   ff7624               | push                dword ptr [esi + 0x24]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   e8????????           |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   8b01                 | mov                 eax, dword ptr [ecx]

        $sequence_3 = { ff7514 8bf1 ff7510 8975fc e8???????? ff7508 83a6a800000000 }
            // n = 7, score = 100
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8bf1                 | mov                 esi, ecx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   83a6a800000000       | and                 dword ptr [esi + 0xa8], 0

        $sequence_4 = { ebf8 55 8bec 51 8365fc00 56 8b7508 }
            // n = 7, score = 100
            //   ebf8                 | jmp                 0xfffffffa
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_5 = { e9???????? 8d8d10ffffff e9???????? 8d4dcc e9???????? 8d8d00ffffff e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8d10ffffff         | lea                 ecx, [ebp - 0xf0]
            //   e9????????           |                     
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e9????????           |                     
            //   8d8d00ffffff         | lea                 ecx, [ebp - 0x100]
            //   e9????????           |                     

        $sequence_6 = { ff15???????? 85c0 7428 8b9f84000000 8bb780000000 eb16 837e0803 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   8b9f84000000         | mov                 ebx, dword ptr [edi + 0x84]
            //   8bb780000000         | mov                 esi, dword ptr [edi + 0x80]
            //   eb16                 | jmp                 0x18
            //   837e0803             | cmp                 dword ptr [esi + 8], 3

        $sequence_7 = { ff7110 e8???????? 83c410 5d c20400 8d412c c6410d00 }
            // n = 7, score = 100
            //   ff7110               | push                dword ptr [ecx + 0x10]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8d412c               | lea                 eax, [ecx + 0x2c]
            //   c6410d00             | mov                 byte ptr [ecx + 0xd], 0

        $sequence_8 = { ff750c 895dd4 03fb 8bcf 897de0 8d4738 8945d8 }
            // n = 7, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   03fb                 | add                 edi, ebx
            //   8bcf                 | mov                 ecx, edi
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   8d4738               | lea                 eax, [edi + 0x38]
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax

        $sequence_9 = { ff15???????? 50 ff15???????? a3???????? c605????????00 57 8b7d18 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   c605????????00       |                     
            //   57                   | push                edi
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]

    condition:
        7 of them and filesize < 7315456
}

Download all Yara Rules

SnappyClient Propose Change

References

Yara Rules

SnappyClient