Cybersecurity researchers have uncovered an updated version of the malware loader known as Hijack Loader, which incorporates advanced techniques to evade detection and establish persistence on compromised systems.
Hijack Loader Enhances Stealth with Call Stack Spoofing
According to Zscaler ThreatLabz researcher Muhammed Irfan V A, the latest version of Hijack Loader introduces a module that utilizes call stack spoofing. This method conceals the origin of function calls, such as API and system calls, making detection more challenging for security tools. Additionally, the loader now features an anti-virtual machine (anti-VM) check to identify and evade analysis environments and sandboxes.
First discovered in 2023, Hijack Loader is designed to deploy second-stage payloads, including information-stealing malware. It also includes multiple modules that help bypass security measures and inject malicious code into targeted systems. The broader cybersecurity community tracks Hijack Loader under various names, including DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
In October 2024, cybersecurity firms HarfangLab and Elastic Security Labs reported that Hijack Loader campaigns exploited legitimate code-signing certificates and used the ClickFix strategy to distribute malware.
The latest iteration builds on previous versions by leveraging call stack spoofing, a technique recently adopted by another loader known as CoffeeLoader. By manipulating the stack with a chain of EBP pointers, this method replaces actual stack frames with fake ones, obscuring malicious activity from security solutions.
New Features Strengthen Evasion Tactics
Hijack Loader continues to use the Heaven’s Gate technique, enabling the execution of 64-bit direct syscalls for process injection. Moreover, it has expanded its list of blocklisted processes to include “avastsvc.exe,” a critical component of Avast Antivirus, effectively delaying execution by five seconds to evade detection.
Additionally, two new modules—ANTIVM and modTask—have been introduced. ANTIVM detects virtual machines to avoid sandbox analysis, while modTask ensures persistence by setting up scheduled tasks.
SHELBY Malware Exploits GitHub for C2
Alongside the advancements in Hijack Loader, researchers at Elastic Security Labs have identified a new malware strain named SHELBY. This malware utilizes GitHub as a command-and-control (C2) infrastructure for data exfiltration and remote control. The malicious activity, tracked under REF8685, follows a well-coordinated phishing attack strategy.
The attack begins with phishing emails delivering a ZIP archive that contains a .NET binary. This binary then executes a DLL loader known as SHELBYLOADER (“HTTPService.dll”) via DLL side-loading. One notable case involved a targeted phishing campaign against an Iraq-based telecommunications firm, where the attackers sent malicious emails from within the company’s own network.
Once executed, SHELBYLOADER communicates with a GitHub repository controlled by the attackers, extracting a 48-byte value from a file named “License.txt.” This value is then used to generate an AES decryption key, which decrypts and loads the primary backdoor payload (“HTTPApi.dll”) into memory—leaving no detectable traces on disk.
The malware employs sandbox detection techniques and reports its findings back to the attackers via GitHub. The SHELBYC2 backdoor further processes commands listed in a “Command.txt” file, enabling the attackers to upload or download files, execute .NET binaries, and run PowerShell commands. The use of GitHub as a C2 channel is particularly concerning, as it allows attackers to operate discreetly via repository commits using a Personal Access Token (PAT).
“Anyone in possession of the PAT token can potentially retrieve attacker-issued commands and access victim data,” Elastic Security Labs warned. The embedded nature of the PAT in the malware binary increases the risk of exploitation by unauthorized entities.
Emmenhtal Loader Spreads SmokeLoader via 7-Zip Files
Another emerging malware loader, Emmenhtal Loader (also referred to as PEAKLIGHT), has been identified as a delivery mechanism for SmokeLoader malware. Attackers are distributing Emmenhtal via phishing emails that employ payment-related lures.
According to GDATA, one key technique used in this SmokeLoader sample is the implementation of .NET Reactor, a commercial obfuscation and packing tool. Historically, SmokeLoader relied on packers such as Themida, Enigma Protector, and custom crypters. The adoption of .NET Reactor aligns with recent trends in malware development, as it provides strong anti-analysis capabilities.
Conclusion
The rapid evolution of malware loaders like Hijack Loader, SHELBY, and Emmenhtal highlights the increasing sophistication of cyber threats. By employing techniques such as call stack spoofing, GitHub-based C2 communication, and advanced obfuscation methods, attackers are making malware detection and analysis more difficult for security professionals.
Organizations must remain vigilant against phishing threats, employ robust endpoint protection, and implement behavioral detection mechanisms to counter these emerging threats. As malware tactics continue to evolve, cybersecurity defenses must adapt accordingly to mitigate risks effectively.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : PostgreSQL Under Attack: Fileless Malware Infects 1,500+ Cloud Servers