New HijackLoader Malware Used to Distribute Various Malware Families | Cyware Hacker News

The cybercriminal community is increasingly adopting a newly discovered malware loader named HijackLoader. First discovered in July, the loader is being used to distribute different malware families such as DanaBot, SystemBC, and RedLine Stealer.

Key capabilities

  • HijackLoader uses a modular architecture that facilitates threat actors to perform code injection and execution.
  • While the exact initial infection vector is currently unknown, it utilizes syscalls to evade detection and monitor processes associated with security software based on an embedded blocklist.
  • To achieve persistence on compromised hosts, the malware loader creates a shortcut file (LNK) in the Windows Startup folder that points to a Background Intelligent Transfer (BITS) job.

Malware loaders in the vogue

  • According to recent research, three prominent malware loaders—QakBot (QBot), SocGholish, and Raspberry Robin—were responsible for 80% of attacks launched in the first seven months of 2023.  
  • In a separate incident, a well-known malware named Smoke Loader expanded its attack surface to deploy a new Whiffy Recon malware for hijacking IoT devices.

While HijackLoader is relatively new, its addition to the threat landscape will enable cybercriminals to launch more attacks. 


Considering the increasing popularity of HijackLoader, researchers expect that it can fill the void left by the recent takedown of QakBot infrastructure. Therefore, organizations must stay updated about the tactics and techniques used by the malware loader and deploy multi-layered sandbox techniques to detect indicators associated with HijackLoader at various stages.