New HijackLoader Evasion Tactics

April 1, 2025, 10:27 a.m.

Description

HijackLoader, a malware loader discovered in 2023, has evolved with new modules and evasion tactics. Recent updates include call stack spoofing to mask function call origins, virtual machine detection to identify analysis environments, and persistence establishment via scheduled tasks. The loader now implements anti-VM checks, mutex creation, custom injection paths, and additional modules for various functions. Notable changes include the addition of new blocklisted processes and modifications to module decryption methods. HijackLoader's modular nature and continuous updates suggest ongoing efforts to enhance its anti-detection capabilities and complicate analysis.

External References

https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics
https://otx.alienvault.com/pulse/67eae76dad6de69b5a3d9079
Tags
evasion
persistence
modular
hijackloader
anti-vm
2025-03-31
virtual machine detection
call stack spoofing

Date

  • Created: March 31, 2025, 7:05 p.m.
  • Published: March 31, 2025, 7:05 p.m.
  • Modified: April 1, 2025, 10:27 a.m.

Attack Patterns

  • HijackLoader