Cybersecurity experts have identified significant enhancements to HijackLoader, a sophisticated malware loader also known as GHOSTPULSE or IDAT Loader.
The malware, which has been circulating in underground forums, has received a substantial upgrade focused on evading detection systems and improving stealth capabilities.
This modular malware loader, designed primarily for delivering second-stage payloads, now presents an elevated threat to organizations worldwide.
.png
)
HijackLoader’s architecture revolves around its modular design, which enables threat actors to continuously update its capabilities without completely redesigning the malware.
This evolutionary approach has made it particularly resilient against traditional security measures, as modules can be swapped or upgraded independently.
The loader handles various functions including configuration information gathering, security software evasion, and code injection or execution—all critical components for successful infiltration campaigns.
The impact of this enhanced malware extends beyond initial compromise, as HijackLoader establishes a foothold that enables threat actors to deploy additional malicious payloads.
These second-stage attacks can lead to data exfiltration, lateral movement through networks, and establishment of persistent access mechanisms that survive system reboots and security sweeps.
Broadcom researchers identified the latest enhancements after analyzing samples captured in recent cybersecurity incidents.
Through detailed forensic examination, they discovered that the malware’s developers have significantly improved its ability to operate undetected within compromised environments.
The most notable enhancement in HijackLoader’s arsenal is the implementation of call stack spoofing capabilities.
This sophisticated technique allows the malware to mask the origin of function calls, effectively creating false trails for security analysts and automated detection systems.
When security tools attempt to trace the execution path of suspicious activities, the spoofed call stack makes malicious operations appear to originate from legitimate system processes.
Additionally, HijackLoader now incorporates enhanced anti-VM (Virtual Machine) checks to detect analysis environments and persistence mechanisms that leverage scheduled tasks to maintain access to compromised systems.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
