A sophisticated new malware technique known as “Waiting Thread Hijacking” (WTH) has emerged as a significant threat to cybersecurity defenses.
This stealthy process injection method, revealed on April 14, 2025, represents an evolution of the classic Thread Execution Hijacking approach but employs a far more elusive methodology to evade detection by modern security solutions.
Process injection techniques have long been a staple in malware arsenals, allowing attackers to hide malicious modules within legitimate processes.
.png
)
What makes Waiting Thread Hijacking particularly concerning is its ability to execute injected code without triggering the typical alerts that would flag conventional methods.
Unlike traditional thread hijacking, which requires suspending and resuming threads using easily monitored APIs like SuspendThread and ResumeThread, WTH targets threads already in a waiting state, eliminating the need for suspicious thread manipulation.
The technique works by exploiting Windows Thread Pools, which contain numerous waiting threads ready to be activated upon specific events.
Instead of creating new threads or manipulating active ones, attackers identify dormant waiting threads and replace their return addresses with pointers to malicious shellcode.
When these threads naturally resume execution, they unwittingly execute the injected code before returning to their normal operations.
CheckPoint researchers identified this technique through extensive analysis of thread behavior in Windows systems.
According to their findings, WTH requires significantly fewer suspicious API calls, making it particularly difficult for Endpoint Detection and Response (EDR) systems to detect.
The method requires only basic process handle access permissions (PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE for the target process and THREAD_GET_CONTEXT for threads) rather than the more suspicious and monitored THREAD_SET_CONTEXT or THREAD_SUSPEND_RESUME permissions.
The technique proves especially effective against security products that focus on monitoring specific API sequences rather than analyzing memory operations comprehensively.
By splitting the attack across multiple processes, attackers can further obfuscate the malicious behavior, with each child process handling a different step of the injection sequence.
Technical Implementation
The core of WTH’s evasion capability lies in its exploitation of waiting threads, specifically those with the wait reason WrQueue.
These threads are paused inside system calls like NtRemoveIoCompletion or NtWaitForWorkViaWorkerFactory, waiting for specific events to resume execution.
The attack identifies such threads, obtains their context, and strategically replaces the return address on their stack with a pointer to malicious code.
bool run_injected(DWORD pid, ULONGLONG shellcodePtr, KWAIT_REASON wait_reason)
{
// Enumerate threads and find one in the waiting state
// ...
for (auto itr = threads_info.begin(); itr != threads_info.end(); ++itr) {
thread_info& info = itr->second;
if (info.ext.state == Waiting && info.ext.wait_reason == wait_reason) {
ULONGLONG ret = read_return_ptr(hProcess, ctx.Rsp);
// Verify target is suitable
if (check_ret_target((LPVOID)ret)) {
suitable_ret_ptr = ctx.Rsp;
suitable_ret = ret;
break;
}
}
}
// Overwrite return address
// ...
}The technique avoids suspending threads and instead relies on the natural activation of waiting threads.
.gif)
Once the waiting thread completes its wait state, it executes the malicious code before seamlessly returning to its original function, maintaining process stability.
What makes WTH particularly dangerous is its simplicity and use of common APIs that appear in legitimate software, making it difficult to detect through static analysis.
The technique has already proven effective at bypassing some EDR solutions that block other injection methods, though no single technique is universally successful against all defenses.
CheckPoint has developed and deployed specific Behavioral Guard protections named “WaitingThreadHijackBlock” to protect their customers from this emerging threat.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
