{
	"id": "4dfa9588-0910-4527-a136-952e2b16d89b",
	"created_at": "2026-04-06T00:13:03.564215Z",
	"updated_at": "2026-04-10T13:12:16.696868Z",
	"deleted_at": null,
	"sha1_hash": "b3e64c24b9683120859bfa9921c9d87e3176bbf2",
	"title": "HijackLoader Expands Techniques to Improve Defense Evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 364847,
	"plain_text": "HijackLoader Expands Techniques to Improve Defense Evasion\r\nBy Donato Onofri - Emanuele Calvelli\r\nArchived: 2026-04-05 18:00:35 UTC\r\nHijackLoader continues to become increasingly popular among adversaries for deploying additional\r\npayloads and tooling\r\nA recent HijackLoader variant employs sophisticated techniques to enhance its complexity and defense\r\nevasion\r\nCrowdStrike detects this new HijackLoader variant using machine learning and behavior-based detection\r\ncapabilities\r\nCrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated\r\nevasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among\r\nadversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and\r\nenhance its capabilities.\r\nIn their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to\r\nincrease the defense evasion capabilities of the loader. The malware developer used a standard process hollowing\r\ntechnique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new\r\napproach has the potential to make defense evasion stealthier.\r\nThe second technique variation involved an uncommon combination of process doppelgänging and process\r\nhollowing techniques. This variation increases the complexity of analysis and the defense evasion capabilities of\r\nHijackLoader. Researchers also observed additional unhooking techniques used to hide malicious activity. This\r\nblog focuses on the various evasion techniques employed by HijackLoader at multiple stages of the malware.\r\nHijackLoader Analysis\r\nInfection Chain Overview\r\nThe HijackLoader sample CrowdStrike analyzed implements complex multi-stage behavior in which the first-stage executable ( streaming_client.exe ) deobfuscates an embedded configuration partially used for dynamic\r\nAPI resolution (using PEB_LDR_DATA structure without other API usage) to harden against static analysis.\r\nAfterward, the malware uses WinHTTP APIs to check if the system has an active internet connection by\r\nconnecting to https\u003c:\u003e//nginx\u003c.\u003eorg . If the initial connectivity check succeeds, then execution continues, and\r\nit connects to a remote address to download the second-stage configuration blob. If the first URL indicated below\r\nfails, the malware iterates through the following list:\r\nhttps[:]//gcdnb[.]pbrd[.]co/images/62DGoPumeB5P.png?o=1\r\nhttps[:]//i[.]imgur[.]com/gyMFSuy.png;\r\nhttps[:]//bitbucket[.]org/bugga-oma1/sispa/downloads/574327927.png\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 1 of 9\n\nUpon successfully retrieving the second-stage configuration, the malware iterates over the downloaded buffer,\r\nchecking for the initial bytes of a PNG header. It then proceeds to search for the magic value  C6 A5 79 EA ,\r\nwhich precedes the XOR key ( 32 B3 21 A5 in this sample) used to decrypt the rest of the configuration blob.\r\nFigure 1. HijackLoader key retrieving and decrypting (click to enlarge)\r\nFollowing XOR decryption, the configuration undergoes decompression using the RtlDecompressBuffer API\r\nwith COMPRESSION_FORMAT_LZNT1 . After decompressing the configuration, the malware loads a legitimate\r\nWindows DLL specified in the configuration blob (in this sample, C:\\Windows\\SysWOW64\\mshtml.dll ).\r\nThe second-stage, position-independent shellcode retrieved from the configuration blob is written to the .text\r\nsection of the newly loaded DLL before being executed. The HijackLoader second-stage, position-independent\r\nshellcode then performs some evasion activities (further detailed below) to bypass user mode hooks using\r\nHeaven’s Gate and injects subsequent shellcode into cmd.exe .The injection of the third-stage shellcode is\r\naccomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly\r\nspawned cmd.exe child process.\r\nThe third-stage shellcode implements a user mode hook bypass before injecting the final payload (a Cobalt Strike\r\nbeacon for this sample) into the child process logagent.exe . The injection mechanism used by the third-stage\r\nshellcode leverages the following techniques:\r\nProcess Doppelgänging Primitives: This technique is used to hollow a Transacted Section\r\n( mshtml.dll ) in the remote process to contain the final payload.\r\nProcess/DLL Hollowing : This technique is used to inject the fourth-stage shellcode that is responsible for\r\nperforming evasion prior to passing execution to the final payload within the transacted section from the\r\nprevious step.\r\nFigure 2 details the attack path exhibited by this HijackLoader variant.\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 2 of 9\n\nFigure 2. HijackLoader — infection chain (click to enlarge)\r\nMain Evasion Techniques Used by HijackLoader and Shellcode\r\nThe primary evasion techniques employed by HijackLoader include hook bypass methods such as Heaven's Gate\r\nand unhooking by remapping system DLLs monitored by security products. Additionally, the malware implements\r\nvariations of process hollowing and an injection technique that leverages transacted hollowing, which combines\r\nthe transacted section and process doppelgänging techniques with DLL hollowing.\r\nHook Bypass: Heaven’s Gate and Unhooking\r\nLike other variants of HijackLoader, this sample implements a user mode hook bypass using Heaven's Gate (when\r\nrun in SysWOW64 ) — this is similar to existing ( x64_Syscall function) implementations.\r\nThis implementation of Heaven's Gate is a powerful technique that leads to evading user mode hooks placed in\r\nSysWOW64 ntdll.dll by directly calling the syscall instruction in the x64 version of ntdll .\r\nEach call to Heaven's Gate uses the following as arguments:\r\nThe syscall number\r\nThe number of parameters of the syscall\r\nThe parameters (according to the syscall)\r\nThis variation of the shellcode incorporates an additional hook bypass mechanism to elude any user mode hooks\r\nthat security products may have placed in the x64 ntdll . These hooks are typically used for monitoring both the\r\nx32 and x64 nt\r\ndll .\r\nDuring this stage, the malware remaps the .text section of x64 ntdll by using Heaven’s Gate to call\r\nNtWriteVirtualMemory and NtProtectVirtualMemory to replace the in-memory mapped ntdll with the\r\n.text from a fresh ntdll read from the file C:\\windows\\system32\\ntdll.dll . This unhooking technique is\r\nalso used on the process hosting the final Cobalt Strike payload ( logagent.exe ) in a final attempt to evade\r\ndetection.\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 3 of 9\n\nProcess Hollowing Variation\r\nTo inject the subsequent shellcode into the child process cmd.exe , the malware utilizes common process\r\nhollowing techniques. This involves mapping the legitimate Windows DLL mshtml.dll into the target process\r\nand then replacing its .text section with shellcode. An additional step necessary to trigger the execution of the\r\nremote shellcode is detailed in a later section.\r\nTo set up the hollowing, the sample creates two pipes that are used to redirect the Standard Input and the\r\nStandard Output of the child process (specified in the aforementioned configuration blob,\r\nC:\\windows\\syswow64\\cmd.exe ) by placing the pipes’ handles in a STARTUPINFOW structure spawned with\r\nCreateProcessW API.\r\nOne key distinction between this implementation and the typical \"standard\" process hollowing can be observed\r\nhere: In standard process hollowing, the child process is usually created in a suspended state. In this case, the\r\nchild is not explicitly created in a suspended state, making it appear less suspicious. Since the child process is\r\nwaiting for an input from the pipe created previously, its execution is hanging on receiving data from it.\r\nEssentially, we can call this an interactive process hollowing variation.\r\nAs a result, the newly spawned cmd.exe will read input from the STDIN pipe, effectively waiting for new\r\ncommands. At this point, its EIP ( Extended Instruction Pointer ) is directed toward the return from the\r\nNtReadFile syscall.\r\nThe following section details the steps taken by the second-stage shellcode to set up the child process cmd.exe\r\nultimately used to perform the subsequent injections used to execute the final payload.\r\nThe parent process streaming_client.exe initiates an NtDelayExecution to sleep, waiting for cmd.exe to\r\nfinish loading. Afterward, it reads the legitimate Windows DLL mshtml.dll from the file system and proceeds to\r\nload this library into cmd.exe as a shared section. This is accomplished using the Heaven's Gate technique for:\r\nCreating a shared section object using NtCreateSection\r\nMapping that section in the remote cmd.exe using NtMapViewOfSection\r\nIt then replaces the .text section of the mshtml DLL with malicious shellcode by using:\r\nHeaven’s Gate to call NtProtectVirtualMemory on cmd.exe to set RWX permissions on the .text section\r\nof the previously mapped section mshtml.dll\r\nHeaven’s Gate to call NtWriteVirtualMemory on the DLL’s .text section to stomp the module and write\r\nthe third-stage shellcode\r\nFinally, to trigger the execution of the remote injected shellcode, the malware uses:\r\nHeaven’s Gate to suspend ( NtSuspendThread ) the remote main thread\r\nA new CONTEXT (by using NtGetContextThread and NtSetContextThread ) to modify the EIP to point\r\nto the previously written shellcode\r\nHeaven’s Gate to resume ( NtResumeThread ) the remote main thread of cmd.exe\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 4 of 9\n\nHowever, because cmd.exe is waiting for user input from the STDINPUT pipe, the injected shellcode in the new\r\nprocess isn't actually executed upon the resumption of the thread. The loader must take an additional step:\r\nThe parent process streaming_client.exe needs to write ( WriteFile ) \\r\\n string to the STDINPUT\r\npipe created previously to send an input to cmd.exe after calling NtResumeThread . This effectively\r\nresumes execution of the primary thread at the shellcode’s entry point in the child process cmd.exe .\r\nInteractive Process Hollowing Variation: Tradecraft Analysis\r\nWe have successfully replicated the threadless process hollowing technique to understand how the pipes trigger it.\r\nOnce the shellcode has been written as described, it needs to be activated. This activation is based on the concept\r\nthat when a program makes a syscall, the thread waits for the kernel to return a value.\r\nIn essence, the interactive process hollowing technique involves the following steps:\r\nCreateProcess: This step involves spawning the cmd.exe process to inject the malicious code by\r\nredirecting STDIN and STDOUT to pipes. Notably, this process isn't suspended, making it appear less\r\nsuspicious. Waiting to read input from the pipe, the NtReadFile syscall sets its main thread's state to\r\nWaiting and _KWAIT_REASON to Executive , signifying that it's awaiting the execution of kernel code\r\noperations and their return.\r\nWriteProcessMemory: This is where the shellcode is written into the cmd.exe child process.\r\nSetThreadContext: In this phase, the parent sets the conditions to redirect the execution flow of the\r\ncmd.exe child process to the previously written shellcode’s address by modifying the EIP/RIP in the\r\nremote thread CONTEXT .\r\nWriteFile: Here, data is written to the STDIN pipe, sending an input to the cmd.exe process. This action\r\nresumes the execution of the child process from the NtReadFile operation, thus triggering the execution\r\nof the shellcode. Before returning to user space, the kernel is reading and restoring the values saved in the\r\n_KTRAP_FRAME structure (containing the EIP/RIP register value) to resume from where the syscall was\r\ncalled. By modifying the CONTEXT in the previous step, the loader hijacks the resuming of the execution\r\ntoward the shellcode address without the need to suspend and resume the thread, which this technique\r\nusually requires.\r\nTransacted Hollowing² (Transacted Section/Doppelgänger + Hollowing)\r\nThe malware writes the final payload in the child process logagent.exe spawned by the third-stage shellcode in\r\ncmd.exe by creating a transacted section to be mapped in the remote process. Subsequently, the malware injects\r\nfourth-stage shellcode into logagent.exe by loading and hollowing another instance of mshtml.dll into the\r\ntarget process. The injected fourth-stage shellcode performs the aforementioned hook bypass technique before\r\nexecuting the final payload previously allocated by the transacted section.\r\nTransacted Section Hollowing\r\nSimilarly to process doppelgänging, the goal of a transacted section is to create a stealthy malicious section inside\r\na remote process by overwriting the memory of the legitimate process with a transaction. In this sample, the third-https://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 5 of 9\n\nstage shellcode executed inside cmd.exe places a malicious transacted section used to host the final payload in\r\nthe target child process logagent.exe . The shellcode uses the following:\r\nNtCreateTransaction to create a transaction\r\nRtlSetCurrentTransaction and CreateFileW with a dummy file name to replace the documented\r\nCreateFileTransactedW\r\nHeaven’s Gate to call NtWriteFile in a loop, writing the final shellcode to the file in 1,024-byte chunks\r\nCreation of a section backed by that file (Heaven’s Gate call NtCreateSection )\r\nA rollback of the previously created section by using Heaven’s Gate to call NtRollbackTransaction\r\nExisting similar implementations have publicly been observed in this project that implements transaction\r\nhollowing. Once the transacted section has been created, the shellcode generates a function stub at runtime to hide\r\nfrom static analysis. This stub contains a call to the CreateProcessW API to spawn a suspended child process\r\nlogagent.exe ( c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8 ) that was previously\r\ndropped by cmd.exe\r\nunder the %TEMP% folder. After the target process has been created, the sample uses Heaven’s Gate to:\r\nRead its PEB by calling NtReadVirtualMemory to retrieve its base address ( 0x400000 )\r\nUnmap the logagent.exe image in the logagent.exe process by using NtUnMapViewofSection\r\nHollow the previously created transacted section inside the remote process by remapping the section at the\r\nsame base address ( 0x400000 ) with NtMapViewofSection\r\nProcess Hollowing\r\nAfter the third-stage shellcode within cmd.exe injects the final Cobalt Strike payload inside the transacted\r\nsection of the logagent.exe process, it continues by process hollowing the target process to write the fourth\r\nshellcode stage ultimately used to execute the final payload (loaded in the transacted section) in the remote\r\nprocess. The third-stage shellcode maps the legitimate Windows DLL C:\\Windows\\SysWOW64\\mshtml.dll in the\r\ntarget process prior to replacing its .text with the fourth-stage shellcode and executing it via NtResumeThread .\r\nThis additional fourth-stage shellcode written to logagent.exe performs similar evasion activities to the third-stage shellcode executed in cmd.exe (as indicated in the hook bypass section) before passing execution to the\r\nfinal payload.\r\nCrowdStrike Falcon Coverage\r\nCrowdStrike employs a layered approach for malware detection using machine learning and indicators of attack\r\n(IOAs). As shown in Figure 3, the CrowdStrike Falcon® sensor’s machine learning capabilities can automatically\r\ndetect and prevent HijackLoader in the initial stages of the attack chain; i.e., as soon as the malware is\r\ndownloaded onto the victim’s machine. Behavior-based detection capabilities (IOAs) can recognize malicious\r\nbehavior at various stages of the attack chain, including when employing tactics like process injection attempts.\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 6 of 9\n\nFigure 3. CrowdStrike Falcon platform machine learning and IOA coverage for the HijackLoader sample (click to\r\nenlarge)\r\nIndicators of Compromise (IOCs)\r\nMITRE ATT\u0026CK Framework\r\nThe following table maps reported HijackLoader tactics, techniques and procedures (TTPs) to the MITRE\r\nATT\u0026CK® framework.\r\nID Technique Description\r\nT1204.002\r\nUser Execution:\r\nMalicious File\r\nThe sample is a backdoored version of streaming_client.exe ,\r\nwith the Entry Point redirected to a malicious stub.\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic\r\nAPI Resolution\r\nHijackLoader and its stages hide some of the important imports\r\nfrom the IAT by dynamically retrieving kernel32 and ntdll\r\nAPI addresses. It does this by parsing PEB-\u003ePEB_LDR_DATA and\r\nretrieving the function addresses.\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 7 of 9\n\nT1016.001\r\nSystem Network\r\nConfiguration\r\nDiscovery: Internet\r\nConnection Discovery\r\nThis variant of HijackLoader connects to a remote server to check if\r\nthe machine is connected to the internet by using the WinHttp API\r\n( WinHttpOpenRequest and WinHttpSendRequest ).\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nHijackLoader utilizes XOR mechanisms to decrypt the downloaded\r\nstage.\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nHijackLoader utilizes RtlDecompressBuffer to LZ decompress the\r\ndownloaded stage.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nHijackLoader drops XOR encrypted files to the %APPDATA%\r\nsubfolders to store the downloaded stages.\r\nT1620\r\nReflective Code\r\nLoading\r\nHijackLoader reflectively loads the downloaded shellcode in the\r\nrunning process by loading and stomping the mshtml.dll module\r\nusing the LoadLibraryW and VirtualProtect APIs.\r\nT1106 Native API\r\nHijackLoader uses direct syscalls and the following APIs to\r\nperform bypasses and injections: WriteFileW , ReadFile ,\r\nCreateFileW , LoadLibraryW , GetProcAddress ,\r\nNtDelayExecution , RtlDecompressBuffer , CreateProcessW ,\r\nGetModuleHandleW , CopyFileW , VirtualProtect ,\r\nNtProtectVirtualMemory , NtWriteVirtualMemory ,\r\nNtResumeThread , NtSuspendThread , NtGetContextThread ,\r\nNtSetContextThread , NtCreateTransaction ,\r\nRtlSetCurrentTransaction , NtRollbackTransaction ,\r\nNtCreateSection , NtMapViewOfSection ,\r\nNtUnMapViewOfSection , NtWriteFile , NtReadFile ,\r\nNtCreateFile and CreatePipe .\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nHijackLoader and its stages use Heaven’s Gate and remap x64 ntdll\r\nto bypass user space hooks.\r\nT1055.012\r\nProcess Injection:\r\nProcess Hollowing\r\nHijackLoader and its stages implement a process hollowing\r\ntechnique variation to inject in cmd.exe and logagent.exe .\r\nT1055.013\r\nProcess Injection:\r\nProcess Doppelgänging\r\nThe HijackLoader shellcode implements a process doppelgänging\r\ntechnique variation (transacted section hollowing) to load the final\r\nstage in logagent.exe .\r\nAdditional Resources\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 8 of 9\n\nThe CrowdStrike Falcon® platform achieved 100% protection, 100% visibility and 100% analytic\r\ndetection across all steps in the MITRE Engenuity ATT\u0026CK® Evaluations: Enterprise, Round 5. Learn\r\nmore in this blog post.\r\nCrowdStrike was named a Leader in the 2023 Gartner® Magic Quadrant™ for Endpoint Protection\r\nPlatforms — furthest right in Vision and highest in Ability to Execute. Read about it here.\r\nFind out how the Falcon platform stops breaches, saves time and saves money in this IDC analysis: The\r\nBusiness Value of the CrowdStrike Falcon XDR Platform.\r\nSee the Falcon platform in action — sign up for a free demo today.\r\nSource: https://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/hijackloader-expands-techniques/"
	],
	"report_names": [
		"hijackloader-expands-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434383,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3e64c24b9683120859bfa9921c9d87e3176bbf2.pdf",
		"text": "https://archive.orkl.eu/b3e64c24b9683120859bfa9921c9d87e3176bbf2.txt",
		"img": "https://archive.orkl.eu/b3e64c24b9683120859bfa9921c9d87e3176bbf2.jpg"
	}
}