Beyond the Hook: Unmasking SnappyClient, the HijackLoader-Linked Stealth Stealer Targeting Crypto
Ddos 
Example attack chain of a campaign delivering SnappyClient | Image: Zscaler ThreatLabz
Security researchers at Zscaler ThreatLabz have unmasked a sophisticated new command-and-control (C2) framework implant they’ve dubbed SnappyClient. First identified in December 2025, this C++-based threat is being deployed via the notorious HijackLoader to conduct high-stakes data theft and provide attackers with persistent remote access.
The malware appears to be a specialist tool for financial gain, with ThreatLabz noting that its “primary use for SnappyClient has been for cryptocurrency theft”.
SnappyClient is built for stealth. To bypass modern endpoint security, it utilizes a suite of advanced techniques, including “Heaven’s Gate,” direct system calls, and transacted hollowing. One of its most effective tricks is an AMSI (Antimalware Scan Interface) bypass.
The malware installs a “trampoline hook” to monitor when the process is loading amsi.dll. If detected, “SnappyClient hooks AmsiScanBuffer and AmsiScanString to always return AMSI_RESULT_CLEAN, effectively bypassing AMSI”.
Researchers observed a primary attack vector targeting German-speaking users through a website impersonating a telecommunications company.
- Initial Infection: A victim visits the fake site, triggering an automatic download of a HijackLoader executable.
- Payload Delivery: Once executed, “HijackLoader sample (if executed by a victim) decrypts and loads SnappyClient”.
- Command and Control: SnappyClient establishes a connection to its C2 server using a custom protocol encrypted with ChaCha20-Poly1305.
Once SnappyClient is entrenched, it uses two configuration files—EventsDB and SoftwareDB—to dictate its behavior. These files tell the malware exactly what data to steal and what triggers to watch for.
- Crypto Focus: SnappyClient monitors the clipboard for patterns matching Ethereum wallet addresses. It also watches for window titles related to Binance, Coinbase, Exodus, and Atomic Wallet.
- Software Theft: The malware is programmed to exfiltrate data from virtually every major browser, including Chrome, Edge, and Firefox, as well as specialized crypto extensions like Metamask and Phantom.
- Remote Access: Beyond theft, it offers a “Remote Shell,” “Hidden VNC Browser,” and even a reverse FTP proxy for deep file system exploration.
One of the most intriguing findings in the report is the structural overlap between SnappyClient and its delivery vehicle. ThreatLabz pointed out a nearly one-to-one mapping in API structure layouts between SnappyClient and HijackLoader.
“Based on these overlaps, there may be a connection between the developers of HijackLoader and SnappyClient” the report concludes, suggesting a closer partnership or a single author behind both pieces of malware.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
