HijackLoader, a sophisticated malware loader initially discovered in 2023, has evolved with new advanced modules designed to evade security detection and analysis.
Also known as IDAT Loader and GHOSTPULSE, this modular malware not only delivers second-stage payloads but also employs various techniques to bypass security software, inject code, and establish persistence on infected systems.
The malware’s modular architecture allows threat actors to continuously update its capabilities through new modules.
.png
)
These modules primarily focus on configuration information, security evasion, and code execution functionalities.
Recently, the malware has received significant upgrades with modules implementing more sophisticated anti-detection features.
Zscaler researchers identified several new modules in HijackLoader’s arsenal, including call stack spoofing to mask function call origins, anti-VM checks to detect analysis environments, and persistence mechanisms via scheduled tasks.
These enhancements demonstrate the malware’s evolution toward increasingly complex evasion tactics designed to thwart detection and analysis.
.webp)
One of the most notable additions is the call stack spoofing technique, which effectively conceals the source of API and system calls.
This method manipulates the stack frames to hide malicious activity by replacing actual return addresses with addresses from legitimate system DLLs, making it difficult for security tools to identify suspicious function calls.
Call Stack Spoofing: A Deeper Look
HijackLoader implements call stack spoofing by using the base pointer register (EBP) to navigate the stack through a chain of EBP pointers.
When executing sensitive operations, the malware retrieves return address pointers from stack frames and patches them with random addresses from legitimate DLLs specified in the SM module.
The implementation is particularly sophisticated, as shown in this structure used for direct syscalls:-
struct DIRECTSYSCALL_STRUCT {
uint32_t APIHash; // CRC32 hash of the API function name
uint32_t ssn; // System service number (SSN)
char *APIName; // API function name
void *APIFunctionAddress; // API function address
};This technique specifically targets critical native system APIs including ZwCreateSection, ZwMapViewOfSection, ZwProtectVirtualMemory, and ZwWriteVirtualMemory, among others.
After completing these operations, HijackLoader restores the original return addresses, leaving minimal traces of its activity.
.webp)
The implementation of these advanced evasion techniques signals a concerning trend in malware sophistication, highlighting the need for multi-layered security approaches that can detect such stealthy threats.
Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now
