HijackLoader Evolves: New Modules Bring Stealth, Persistence, and Advanced VM Evasion

Originally discovered in 2023, HijackLoader—also known as IDAT Loader or GHOSTPULSE—has returned with a series of stealthy upgrades. In its latest analysis, Zscaler ThreatLabz exposes a fresh set of modules engineered to evade detection, confuse defenders, and dig deeper into infected systems with stealthy persistence mechanisms.

“HijackLoader is not only capable of delivering second-stage payloads, but also offers a variety of modules to expand the malware’s capabilities,” the report notes.

The updated HijackLoader comes equipped with new modules that serve distinct roles:

• ANTIVM: Performs anti-virtual machine checks
• CUSTOMINJECT: Injects code into legitimate executables
• modTask/modTask64: Establish persistence via scheduled tasks
• SM: Supports call stack spoofing via legitimate DLLs

“These modules implement features including call stack spoofing to mask the origin of function calls, virtual machine detection, and persistence via scheduled tasks,” ThreatLabz writes.

Perhaps the most technically important update is the use of call stack spoofing. HijackLoader manipulates EBP (base pointer) chains to fabricate return addresses in memory. This conceals malicious API calls—such as ZwCreateSection, ZwWriteFile, and ZwTerminateProcess—within what appears to be legitimate execution flow.

“HijackLoader traverses the stack to retrieve and patch the return addresses to spoof stack frames,” Zscaler explains.

The SM module even specifies which legitimate system DLL to spoof, helping the malware blend into normal process behavior. This technique is applied across modules like modCreateProcess, modUAC, and modTask.

To further hinder analysis and sandbox detection, HijackLoader now includes an anti-virtual machine module (ANTIVM) that performs a series of hardware and behavioral checks:

• Measures CPUID execution time (to detect VM throttling)
• Detects hypervisor presence
• Checks for low physical memory and CPU count
• Validates system username, computer name, and even file path execution context

Persistence is now handled with precision. The modTask and modTask64 modules use configuration data stored in the PERSDATA module to schedule tasks with custom execution intervals.

Before persisting, the loader:

• Copies the TinycallProxy module into a system DLL
• Uses it as an indirect API call proxy
• Zeroes out its own loader module in memory to avoid detection
• Schedules itself to execute at login or regular intervals

“The task will be triggered when the user logs in, otherwise it executes at regular intervals,” according to the PERSDATA_STRUCT definition.

The CUSTOMINJECT module carries out targeted process injection into executables defined by the CUSTOMINJECTPATH module, while the MUTEX module ensures only one instance of HijackLoader runs at a time—exiting if the specified mutex already exists.

“If a mutex with this name exists, HijackLoader will exit,” Zscaler writes, noting this prevents duplicate infections and potential detection.

HijackLoader’s continuous evolution shows how malware developers are responding rapidly to blue team countermeasures. By layering evasion, anti-analysis, and persistence into modular, configurable components, HijackLoader can:

• Survive reboots
• Bypass traditional EDR stack tracing
• Avoid sandbox-based detonation
• Persist within memory and scheduled tasks indefinitely

This analysis confirms that HijackLoader is no longer just a loader—it’s a full-fledged malware platform, actively maintained and tailored for stealth. Its blend of old-school tactics like DLL injection with new-school tricks like stack spoofing and proxy API calls makes it a serious challenge for defenders.

Related Posts:

• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• C&C in the Clouds: OilRig Group Hijacks Microsoft Services for Espionage