HijackLoader
Also known as: DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER
According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.
Last 7 days
| Date | C2 Hosts |
|---|---|
| Mar 3, 2026 | 3 |
Further Reading
Severity High Analysis Summary Microsoft stated that it is disabling the ms-appinstaller protocol handler again after various threat actors exploited it as an initial access vector to distribute ma...
Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.
Explore HijackLoader’s updates and PNG image delivery method.
HijackLoader | Learn its tactics, evasion techniques, and modular architecture in our in-depth analysis.