HijackLoader
Also known as: DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER
According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.
C2 Infrastructure
Hosting/VPS89%
ISP/Residential11%
Last 7 days
Apr 19, 2026
C2 Hosts: 1
Apr 18, 2026
C2 Hosts: 7
Apr 16, 2026
C2 Hosts: 1
Apr 15, 2026
C2 Hosts: 1
| Date | C2 Hosts |
|---|---|
| Apr 19, 2026 | 1 |
| Apr 18, 2026 | 7 |
| Apr 16, 2026 | 1 |
| Apr 15, 2026 | 1 |
Further Reading
New HijackLoader Evasion Tactics | ThreatLabz
Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.
zscaler.com
HijackLoader Updates | ThreatLabz
Explore HijackLoader’s updates and PNG image delivery method.
zscaler.com
HijackLoader | ThreatLabz
HijackLoader | Learn its tactics, evasion techniques, and modular architecture in our in-depth analysis.
zscaler.com
Technical Analysis of SnappyClient | ThreatLabz
SnappyClient is a C2 framework that features multiple evasion techniques that enable remote access and data theft.
zscaler.com