Execution flow

HijackLoader’s execution flow begins with the hijacked legitimate EXE, passing through the sideloaded DLL, which reads in the image file containing the encrypted HijackLoader configuration details. The payload specified by the config is executed by spawning a legitimate child process in a suspended state and injecting the payload into the memory space of the child process. In many cases this injected child process serves as a shellcode loader for the final payload, which often manifests in the form of yet another injected child process.

DLL dispatch

Throughout 2024, the ZIP files observed contained a wide array of hijackable DLLs, and in some cases the operator renamed the legitimate EXE. For example, we commonly observed Setup.exe being used in place of the legitimate EXE’s filename. Similarly, we observed variation in the child processes used to host the injected final payload. The initial injected process acting upon the HijackLoader configuration tended to be one of choice.exe, cmd.exe, or more.com, while the final injected process containing the next-stage payload had more variability, including renamed instances of autoit3.exe as well as legitimate Windows binaries such as:

• cmd.exe
• Explorer.exe
• Msbuild.exe
• Msiexec.exe
• Rundll32.exe
• Searchindexer.exe
• vbc.exe

For example, we’ve seen HijackLoader inject into more.com, which has led to the download and execution of a renamed AutoIT3 binary, which in turn performed credential access and maintained sustained network connectivity to a C2 server consistent with LummaC2 execution.

Hit the road, hijack

While the DLL sideloads that lend their hijacks to the HijackLoader name continue to be an effective delivery method, reports in October 2024 detailed a new variant of HijackLoader that doesn’t use a hijack at all. Rather than packaging a ZIP with a legitimate EXE, malicious DLL, and accompanying image file, this new campaign bundles all three components into a single signed EXE file. Instead of leveraging the sideloaded DLL to extract the config from a separate image file, the image is included as a resource within the signed EXE. The extraction process works similarly, and execution proceeds via process injection as described above. Researchers at ZScaler have continually updated a blog detailing the technical analysis of HijackLoader, including information on defense evasion and anti-analysis techniques.

Keep your eye on the payload

Regardless of how it’s delivered or what it’s injecting into, the primary concern with HijackLoader is the payload it delivers. Throughout 2024, the majority of the HijackLoader we observed delivered stealers—predominantly LummaC2, but alternatives such as ArechClient2, CryptBot, Redline, and others were also common. In 2023 we observed later-stage activity from a Scarlet Goldfinch infection leveraging NetSupport to deliver Havoc via HijackLoader. Throughout late 2023 and early 2024, we observed adversaries delivering MSIX installers using HijackLoader to deploy FakeBat. Other researchers have reported HijackLoader leading to Carbanak, Danabot, and IcedID, tools more closely linked to established criminal groups that are sometimes affiliated with ransomware.

HijackLoader has established itself as a major player across the threat landscape, employed by a diverse set of adversaries. As such, quick detection and response is a must.

Renamed instances of AutoIT

This pseudo-detection analytic identifies renamed instances of AutoIT. Adversaries—like those behind HijackLoader—use this tool to execute scripts to establish C2 communication or deliver  additional payloads. The renamed binary may be located in a suspicious location like TEMP, APPDATA, or with a path that includes seemingly randomly generated names. Here at Red Canary we have profiled System32 binaries, collected and stored their expected metadata, and used the information to build detection analytics, and we published a blog sharing how you can do the same.