HijackLoader
HijackLoader is a modular malware loader also tracked as IDAT Loader, with additional aliases including DOILoader, GHOSTPULSE, and SHADOWLADDER. The content consistently describes it as a loader framework rather than a final payload, and notes that some antivirus products mislabel packed malware such as SilabRAT as HijackLoader when HijackLoader is only the packer or delivery component.
Its observed behavior includes DLL sideloading, cross-loading, module stomping, shellcode execution, and staged payload reconstruction from embedded or disguised data. Multiple reports describe HijackLoader using PNG-like IDAT chunk containers to hide loader modules or payload material, including reconstruction of a multi-module bundle from pseudo-PNG data via XOR decoding and LZNT1 decompression. In one analyzed chain, a malicious sideloaded DLL decoded monitor_base.sym and parsed IDAT data embedded in physicsdesc.map to rebuild a 35-module HijackLoader bundle containing components such as LauncherLdr64, modCreateProcess, modTask, modUAC, modWD, modWriteFile, rshell, ti, CUSTOMINJECT, and PERSDATA. The same reporting noted reuse of the internal deployment path %windir%\SysWOW64\input.dll. Other observed execution chains used legitimate signed binaries as sideload hosts, including ClusterHub.exe in a OneDrive-themed package, VoTransmitt.exe from Zoner Photo Studio, and KSPSService.exe, a legitimate Valve/Steam secure_desktop_capture binary signed by McAfee. One campaign injected shellcode into vssapi.dll to execute HijackLoader.
HijackLoader is delivered through a wide range of initial access mechanisms. The content directly mentions LNK-based lure archives, PowerShell downloaders, ClickFix or paste-and-run fake CAPTCHA workflows, malvertising, SEO poisoning, typosquatting, phishing, fake software installers, trojanized MSI packages, compromised WordPress sites, and abuse of GitHub repository-network behavior. It is also observed as a secondary payload delivered by other malware or distribution services including StealC, Amadey, ITarian-linked activity, ErrTraffic, and TAG-150-associated chains. Business users are explicitly mentioned as targets in malvertising campaigns, and one UAC-0184 / MB-0005 campaign used Ukrainian-language lures and military administrative decoys aligned with Ukrainian military audiences.
The loader has been observed deploying a broad range of follow-on malware. High-confidence payloads mentioned in the content include Remcos Agent 7.1.0 Pro, Arechclient2 / SectopRAT, Rhadamanthys, DeerStealer, LummaC2, CryptBot, Vidar, and in broader reporting it is listed among malware families delivered in criminal distribution ecosystems alongside AsyncRAT, Amadey, AgentTesla, and LockBit Black. Red Canary specifically noted a March 2025 wave of HijackLoader delivering Arechclient2, and the content states that Arechclient2 was also the payload when HijackLoader was first publicly reported in July 2023.
Associated activity clusters and ecosystems in the content include UAC-0184 / MB-0005, StealC-linked operations disrupted under Operation Endgame, ErrTraffic MaaS campaigns, TAG-150 delivery chains, ShadowLadder campaign activity, and Amadey pay-per-install operations. Reported indicators tied to specific HijackLoader cases include delivery and C2 infrastructure at 144.31.236.240, including URLs such as /szch45/ritecommunion.ps1, /szch45/shoutnewspaper.ps1, /szch45/hintprefix.ps1, /szch45/collectivisationgown.ps1, and /szch45clusterhum.zip, with one resulting Remcos configuration using 144.31.236.240:27018. File and sample indicators directly mentioned in HijackLoader-related chains include spisokszch.zip (SHA-256 c74bb6fb848cdb87c2b4261da1efc078023cdf95aa7b1436c52c26f3a11025af), szch45clusterhum.zip (SHA-256 fee96a66a8c143ff4f172963a56a813427a65dad7758834bb3283685a37df633), and a Remcos payload with SHA-256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.
The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.
The infrastructure graph generated from the correlation of indicators identified in the campaign reveals a complex network of relationships... through this, we note similarities with the already well-known “HijackLoader.”
“...EncryptHub added to the game files the HijackLoader malware (CVKRUTNP.exe), which establishes persistence on the victim device and downloads the Vidar infostealer (v9d9d.exe).”
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques
Resource Development
Rhadamanthys is an infostealer distributed via malspam and malvertising. Google searches for popular software such as Notion return malicious ads. Threat actors are using decoy websites to trick users into downloading malware.
Initial Access
3 techniques
Initial Access
The attack started with a website that impersonated Telefónica... When a victim visits the page, a HijackLoader executable file is automatically downloaded on the victim’s system.
Execution
6 techniques
Execution
Persistence is established through a scheduled task named “WinSvcUpd” that executes whenever users log on.
the activity we saw in March 2025 leveraged encoded PowerShell to make network communications, download resources, and execute files early in the execution chain.
The shortcut subsequently executes the VBScript through cscript, launches the downloaded PowerShell file with a hidden window and deletes both temporary files.
The adversary is trying to entice the user into verifying or fixing something by typing a command into a terminal, run dialog box, or PowerShell.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Persistence is established through a scheduled task named “WinSvcUpd” that executes whenever users log on.
The module names expose the frameworks modular design... custom injection. The final carved PE is a legitimate copy of HearthstoneDeckTracker.exe. Its placement within the bundle suggests that it may be used as a host process for the loaders CUSTOMINJECT execution path.
Stealth
10 techniques
Stealth
MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files T1027 Multi-layer encryption across components
The PowerShell command drops and extracts a large archive (exceeding 120 MB) containing multiple files. This is a well-known binary bloating technique designed to evade static analysis and automated sandbox scanning.
MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files: Software Packing T1027.002 LZMA-compressed NSIS installer in PE overlay
The larger physicsdesc.map file is approximately 1.36 MB... The file is not a valid image, but enough of the internal PNG chunk structure is retained for the shellcode to parse it.
The malicious domain chatgpt-web[.]vip mimics the official ChatGPT landing page
The module names expose the frameworks modular design... custom injection. The final carved PE is a legitimate copy of HearthstoneDeckTracker.exe. Its placement within the bundle suggests that it may be used as a host process for the loaders CUSTOMINJECT execution path.
The following data is decoded by adding the key to each 32-bit value... The XOR output is then decompressed using: RtlDecompressBuffer
An encoded PowerShell command then leverages Microsoft HTML Application Host (mshta.exe) to download and execute a malicious payload from a remote resource... Detection opportunity: mshta.exe utility making external network connections.
Discovery
1 technique
Discovery
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
If the operator adds loader URLs, the StealC clients (bots) that connect to the C2 server will be delivered one or more of these loader URLs. At this point, the StealC malware client will attempt to download and execute one of the payloads from the URLs provided by the server.
IOCs tracked for this family
85 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular loader framework that reconstructs payloads from local pseudo-PNG IDAT chunk containers, using DWORD arithmetic/XOR decoding and LZNT1 decompression, then stages and executes downstream malware.
HijackLoader is listed as a malware family delivered in StealC-linked activity.
A loader malware observed as a payload in StealC-related delivery chains.
HijackLoader is a loader observed among payloads delivered in StealC-related operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.