Last seven days
- First activity
- Jul 12, 2026
- Last activity
- Jul 19, 2026
- Feed role
- C2 / Distribution
- Host form
- 2 IP / 5 hostnames
HijackLoader, also known as IDAT Loader and sometimes tracked as GHOSTPULSE or SHADOWLADDER, is a modular Windows malware loader used to stage and execute a wide range of follow-on payloads.
Profile source: Mallory opens in a new tabHijackLoader
HijackLoader, also known as IDAT Loader and sometimes tracked as GHOSTPULSE or SHADOWLADDER, is a modular Windows malware loader used to stage and execute a wide range of follow-on payloads. It is commonly employed as an intermediary component in intrusion chains rather than as the final objective, providing operators with flexible payload delivery, in-memory execution, and evasion features. Reported downstream payloads include information stealers, remote access trojans, banking malware, ransomware precursors, and legacy backdoors such as Carbanak.
A defining characteristic of HijackLoader is its use of concealed container formats and staged decryption to reconstruct malicious components only at runtime. Multiple campaigns have used steganographic or pseudo-image data, especially PNG IDAT-style chunking, combined with XOR or similar decoding and LZNT1 decompression to rebuild large loader bundles in memory. The framework has also been observed using shellcode stages, runtime API resolution, signed host binaries, and process hollowing or related image-replacement techniques to launch final payloads while reducing static detection opportunities.
HijackLoader is frequently delivered through social-engineering-heavy initial access chains. Observed vectors include ClickFix and paste-and-run lures, fake CAPTCHA and verification pages, spearphishing attachments, trojanized software installers, and DLL sideloading packages built around legitimate signed applications. It has also appeared in broader malware distribution ecosystems involving compromised WordPress sites, fake software updates, and malvertising-driven delivery chains. In several cases, users were tricked into manually executing PowerShell commands that downloaded and launched HijackLoader stages.
The loader is associated with financially motivated cybercrime activity and is widely used across malware delivery operations rather than being exclusive to a single threat actor. It has been linked to campaigns distributing Vidar, StealC, Remcos, SnappyClient, Arechclient2, CryptBot, and other commodity or MaaS payloads. Recent reporting also noted re-emergent Carbanak activity delivered through HijackLoader, indicating its continued utility as a modern delivery mechanism for older but still operational malware families.
On infected systems, HijackLoader has demonstrated strong defense-evasion tradecraft, including binary bloating, in-memory assembly of components, abuse of signed binaries for sideloading, and deployment patterns intended to frustrate sandboxing and forensic recovery. Some observed chains also established persistence for follow-on payloads. Overall, HijackLoader is best understood as a versatile loader-as-a-service framework optimized for stealthy Windows payload delivery and post-compromise flexibility.
C2 tracking
Derp observations, rolling seven-day window
Samples
2fd3e4fed8a88f9aa00a921cbb6fb564aa64943b20fc512ce3eb134d5ebfd2d3 401b70e0313d7f6dd1fd444a8d61e25ae433a5944a2607405fe5ddbc9b8f7afc b4a3205341b7d6eee7d8a810300a39960ac66c7fb89f585a06c6e1e921a49820 235f91d8d4634d2af5a9a504420d624496f11af6ffc8a98adea083121b88ab1e b8006c2a5a511648876a967f55bae95ccb5515ff0436e7855ce5d2ecc7dd407f ccce59754ac625d60cda648debe4a3021b70a30bc8b85d9a7d5612b1b64ef52a cdc0d27aee64dbcc4b67a3a6cdde4c7f32065144d8fbb6ada691143456e7d756 de7ab1b87f4a4911b8b2e5d8021b1759665fd31761ed8cec54203623e53b363a 46d4be062138f094622a73894837e65237cb574712aa995424f25230fd4cb4ce 64a3a21cb92d06b12229c7788f6578dc71a3a61cd8658c53fa9cafe051b11b2e Reported operators
The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.
The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.
The infrastructure graph generated from the correlation of indicators identified in the campaign reveals a complex network of relationships... through this, we note similarities with the already well-known โHijackLoader.โ
โ...EncryptHub added to the game files the HijackLoader malware (CVKRUTNP.exe), which establishes persistence on the victim device and downloads the Vidar infostealer (v9d9d.exe).โ
MITRE ATT&CK
Reporting
The MSI installer masquerading as a licensing utility and would have deployed HijackLoader (IDAT Loader), a loader designed to allow flexibility and deploy additional payloads.
HijackLoader6
These campaigns distribute multiple malware families, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.
The story didnโt end with the arrest: the Carbanak backdoor has re-emerged in 2024-2025, delivered through modern loader families (IDATLoader / HijackLoader).
HijackLoader5
We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.
The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.
Proofpoint and IBM X-Force researchers observed StealC-linked activity delivering malware families, including the following: ... HijackLoader ...
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.