Jun 1, 2026
C2 Hosts: 1
HijackLoader
Also known as: DOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER
According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.
C2 Infrastructure
Hosting/VPS 100%
Last 7 days
May 29, 2026
C2 Hosts: 1
May 28, 2026
C2 Hosts: 1
| Date | C2 Hosts |
|---|---|
| Jun 1, 2026 | 1 |
| May 29, 2026 | 1 |
| May 28, 2026 | 1 |
Further Reading
A Wretch Client: From ClickFix deception to information stealer deployment — Elastic Security Labs opens in a new tab
Elastic Security Labs detected a surge in ClickFix campaigns, using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware.
elastic.co
GHOSTPULSE haunts victims using defense evasion bag o' tricks — Elastic Security Labs opens in a new tab
Elastic Security Labs reveals details of a new campaign leveraging defense evasion capabilities to infect victims with malicious MSIX executables.
elastic.co
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog opens in a new tab
Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.
rapid7.com
New HijackLoader Evasion Tactics | ThreatLabz opens in a new tab
Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.
zscaler.com
HijackLoader Updates | ThreatLabz opens in a new tab
Explore HijackLoader’s updates and PNG image delivery method.
zscaler.com
HijackLoader | ThreatLabz opens in a new tab
HijackLoader | Learn its tactics, evasion techniques, and modular architecture in our in-depth analysis.
zscaler.com
Technical Analysis of SnappyClient | ThreatLabz opens in a new tab
SnappyClient is a C2 framework that features multiple evasion techniques that enable remote access and data theft.
zscaler.com