Skip to content
Malware family Windows

HijackLoader

HijackLoader, also known as IDAT Loader and sometimes tracked as GHOSTPULSE or SHADOWLADDER, is a modular Windows malware loader used to stage and execute a wide range of follow-on payloads.

Profile source: Mallory opens in a new tab

HijackLoader

Family profile

HijackLoader, also known as IDAT Loader and sometimes tracked as GHOSTPULSE or SHADOWLADDER, is a modular Windows malware loader used to stage and execute a wide range of follow-on payloads. It is commonly employed as an intermediary component in intrusion chains rather than as the final objective, providing operators with flexible payload delivery, in-memory execution, and evasion features. Reported downstream payloads include information stealers, remote access trojans, banking malware, ransomware precursors, and legacy backdoors such as Carbanak.

A defining characteristic of HijackLoader is its use of concealed container formats and staged decryption to reconstruct malicious components only at runtime. Multiple campaigns have used steganographic or pseudo-image data, especially PNG IDAT-style chunking, combined with XOR or similar decoding and LZNT1 decompression to rebuild large loader bundles in memory. The framework has also been observed using shellcode stages, runtime API resolution, signed host binaries, and process hollowing or related image-replacement techniques to launch final payloads while reducing static detection opportunities.

HijackLoader is frequently delivered through social-engineering-heavy initial access chains. Observed vectors include ClickFix and paste-and-run lures, fake CAPTCHA and verification pages, spearphishing attachments, trojanized software installers, and DLL sideloading packages built around legitimate signed applications. It has also appeared in broader malware distribution ecosystems involving compromised WordPress sites, fake software updates, and malvertising-driven delivery chains. In several cases, users were tricked into manually executing PowerShell commands that downloaded and launched HijackLoader stages.

The loader is associated with financially motivated cybercrime activity and is widely used across malware delivery operations rather than being exclusive to a single threat actor. It has been linked to campaigns distributing Vidar, StealC, Remcos, SnappyClient, Arechclient2, CryptBot, and other commodity or MaaS payloads. Recent reporting also noted re-emergent Carbanak activity delivered through HijackLoader, indicating its continued utility as a modern delivery mechanism for older but still operational malware families.

On infected systems, HijackLoader has demonstrated strong defense-evasion tradecraft, including binary bloating, in-memory assembly of components, abuse of signed binaries for sideloading, and deployment patterns intended to frustrate sandboxing and forensic recovery. Some observed chains also established persistence for follow-on payloads. Overall, HijackLoader is best understood as a versatile loader-as-a-service framework optimized for stealthy Windows payload delivery and post-compromise flexibility.

Capabilities

  • Defense Evasion
  • Dll Sideloading
  • Initial Access
  • Persistence
  • Post Exploitation
  • Process Injection

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 12, 2026
Last activity
Jul 19, 2026
Feed role
C2 / Distribution
Host form
2 IP / 5 hostnames

Leading locations

  • DE2
  • IN1
  • LU1
  • US1

Leading providers

  • Cloudflare, Inc.1
  • DigitalOcean, LLC1
  • Ghosty Networks LLC1
  • Hostinger International Limited1
  • Omegatech LTD1

Infrastructure traits

  • Hosting 5
  • Anycast 1

Samples

Recent associated samples

Reported operators

Threat actors

4 named in public reporting
UAC-0184

The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.

MB-0005

The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.

PLUMP SPIDER

The infrastructure graph generated from the correlation of indicators identified in the campaign reveals a complex network of relationships... through this, we note similarities with the already well-known โ€œHijackLoader.โ€

EncryptHub

โ€œ...EncryptHub added to the game files the HijackLoader malware (CVKRUTNP.exe), which establishes persistence on the victim device and downloads the Vidar infostealer (v9d9d.exe).โ€

MITRE ATT&CK

HijackLoader in ATT&CK

37 distinct techniques

Reporting

Research mentioning HijackLoader

Jul 14
Blackpoint Cyber

Blackpoint SOC Threat Pulse: Week of July 13, 2026 - Blackpoint Cyber

The MSI installer masquerading as a licensing utility and would have deployed HijackLoader (IDAT Loader), a loader designed to allow flexibility and deploy additional payloads.

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

HijackLoader6

Jul 9
Gurucul Threat Research

Fake Google and Cloudflare Verification Pages Spread Multiple Malware Families | Community Portal | Gurucul

These campaigns distribute multiple malware families, including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.

Jul 7
Alpha Cyber

Anunak and Carbanak: A Billion-Dollar Heist - Alpha Cyber

The story didnโ€™t end with the arrest: the Carbanak backdoor has re-emerged in 2024-2025, delivered through modern loader families (IDATLoader / HijackLoader).

Jul 7
Gurucul Threat Research

Millenium: A RAT Rewritten, a Threat Multiplied | Community Portal | Gurucul

HijackLoader5

Jul 2
Malwarebytes Labs

Fake Google and Cloudflare verification pages spread multiple malware families | Malwarebytes

We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer.

Jun 27
Synapticsystems

UAC-0184 Tooling Evolution: OneDrive Sideload to Remcos - Synaptic Security Blog

The observed format is consistent with HijackLoader , also tracked as IDATLoader . The IDAT container is therefore not an isolated packer trick. It belongs to a wider modular loader framework that can deploy different components and final payloads depending on its configuration.

Jun 24
Hackread

Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks

Proofpoint and IBM X-Force researchers observed StealC-linked activity delivering malware families, including the following: ... HijackLoader ...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.