Ddos 
Cybercriminals are increasingly relying on malware loaders to gain initial access, evade defenses, and deliver sophisticated payloads. One such loaderβHijackLoaderβhas rapidly gained prominence since its emergence in late 2023. A recent analysis by Seqrite highlights how this Malware-as-a-Service (MaaS) offering has become a persistent and evolving threat across industries.
According to the report, βWith the evolution of cyber threats, the final execution of a malicious payload is no longer the sole focus of the cybersecurity industry. Attack loaders have emerged as a critical element of modern attacks, serving as a primary vector for initial access and enabling the covert delivery of sophisticated malware within an organization.β
HijackLoader quickly stood out due to its flexibility in delivering payloads and advanced evasion techniques. Seqrite notes that it is often deployed via fake installers, SEO-poisoned websites, malvertising, and pirated portals, ensuring a wide victim base.
Since mid-2025, the loader has been observed in Clickfix phishing campaigns, where users are tricked into downloading malicious .msi installers. As Seqrite explains, βSince June 2025, we have observed attackers using Clickfix where it led unsuspecting victims to download malicious .msi installers that, in turn, resulted in HijackLoader execution.β
The MaaS ecosystem has also integrated HijackLoader as a delivery mechanism. Notably, the threat group TAG-150 has been seen leveraging it alongside other services like CastleLoader/CastleBot.
What makes HijackLoader particularly dangerous is its focus on stealth and persistence. Seqrite highlights its use of:
- Process doppelgΓ€nging with transacted sections
- Unhooking system DLLs
- Direct syscalls under WOW64
- Call-stack spoofing
- Anti-VM checks
These techniques make HijackLoader resilient against conventional detection tools, enabling it to evade sandboxes, bypass monitoring solutions, and deliver final payloads undetected.
Seqriteβs technical breakdown reveals a layered infection process starting with a CAPTCHA-based phishing lure. Victims are presented with what appears to be a legitimate page, but behind the scenes, malicious HTA and PowerShell scripts are triggered.
The report describes, βThe above decoded PowerShell script is heavily obfuscated, presenting a significant challenge to static analysis and signature-based detection. Instead of using readable strings and variables, it dynamically builds commands and values through complex mathematical operations and the reconstruction of strings from character arrays.β
Subsequent stages involve:
- Heavily obfuscated PowerShell scripts downloading additional payloads (disguised as .mp3 files).
- Anti-VM and anti-analysis checks to evade detection.
- Packed .NET executables and protected DLLs that load the final malware.
The final stage attempts to connect to a command-and-control (C2) server linked to known infostealers such as NekoStealer and Lumma Stealer.
HijackLoader underscores a critical shift in cybercrime operationsβwhere loaders are no longer just delivery tools but sophisticated frameworks for persistence and stealth. Seqrite emphasizes, βSuccessfully defending against sophisticated loaders like HijackLoader requires shifting the focus from static, final-stage payloads to their dynamic and continuously evolving delivery mechanisms.β
Organizations must adopt a multi-layered defense strategy, monitoring not only endpoints but also the intermediate stages of an attack, where most innovations in evasion occur.
Related Posts:
- New Malware Duo HijackLoader & DeerStealer Surge: Bypassing Defenses for Data Theft
- RedLine Stealer Unleashed: Inno Setup Installers Abused for Stealthy Data Theft & Cryptowallet Draining
- Dodi Repacks Malware: Why Your Adblocker Wonβt Save You
- HijackLoader Evolves: New Modules Bring Stealth, Persistence, and Advanced VM Evasion
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
