{
	"id": "0ce93516-3945-4ee5-934b-203982eacd2f",
	"created_at": "2026-04-10T03:20:19.594084Z",
	"updated_at": "2026-04-10T03:22:16.721204Z",
	"deleted_at": null,
	"sha1_hash": "fcca7fcd501477381987efdc8fc4d5ab3a91f4a3",
	"title": "HijackLoader Targets Hotels: A Technical Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4041500,
	"plain_text": "HijackLoader Targets Hotels: A Technical Analysis\r\nBy Alpine Security\r\nPublished: 2023-09-23 · Archived: 2026-04-10 02:37:26 UTC\r\n6 min read\r\nSep 19, 2023\r\n18 Sep 2023 — Borja Merino\r\nPress enter or click to view image in full size\r\nDuring the last months, the Alpine Security Hunting Team has observed several malware campaigns against\r\nvarious hotel chains in Andorra using HijackLoader as the main weapon of attack. Recently detailed and\r\nanalyzed by ThreatLabz, HijackLoader is a new malware loader that is used to load different malware families\r\nsuch as Danabot, SystemBC and RedLine Stealer. This Malware is characterized by using a modular design and\r\nimplement several layers of obfuscation, anti-analysis and evasion techniques (DLL Stomping, Direct syscalls,\r\nprocess migration, etc.) to execute code as stealthily as possible.\r\nGet Alpine Security’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 1 of 10\n\nIn the campaigns observed, the attackers establish contact via email with the hotels to reserve a room and, under\r\nthe pretext of suffering from food allergies, send a download link containing a compressed file with the malicious\r\nbinary. The links usually point to a service with a good reputation (dropbox.com, drive.google.com, etc.)\r\nPress enter or click to view image in full size\r\nIn this other campaign the attackers contact via Booking with the hotel using a very similar apology; they inform\r\non certain contraindications that should be taken into account by the hotel in order to avoid certain allergy\r\nproblems described in an attached medical prescription. The attachment in this case comes from the Discord CDN\r\n(hxxps://cdn.discordapp[.]com/attachments/1146064438449946687/1146072433867116564/my_contraindications.zip)\r\nPress enter or click to view image in full size\r\nThe present analysis shows the triage carried out on a certain binary following an alert in one of our clients, where\r\nthe legitimate “ftp.exe” process (SysWOW64) was invoked from a recently created suspicious binary (previously\r\nunobserved in the company).\r\nPress enter or click to view image in full size\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 2 of 10\n\nThe analyzed binary, “my contraindications.exe”, has a size of 1,538,816 bytes (1.5 MB), is developed in C++\r\nfor 32-bit architectures (Windows GUI Subsystem) and tries to pretend to be a legitimate McAffe binary, even\r\nembedding a certificate of said AV company. File-Header Timestamp reflects “2021–06–10 06:57:08”.\r\nPress enter or click to view image in full size\r\nThe execution of the harmful code starts from the _vcrt_initialize() function (which is part of the Microsoft Visual\r\nC++ Runtime Library) where they have inserted a hook/call to the function from which the infection process starts.\r\nThe process’s main thread will therefore begin its harmful actions before reaching WinMain().\r\nPress enter or click to view image in full size\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 3 of 10\n\nThe code will walk the PEB_LDR_DATA structure from PEB with the goal of retrieving the Kernel32 base\r\naddress and traversing its EAT with which to retrieve symbols.\r\nPress enter or click to view image in full size\r\nThe malicious code will also load “winhttp.dll” in order to carry out network communications. One of these\r\nconnections is to the legitimate domain “doi.org”. The code, in a loop, will wait for communication with it to\r\nproceed with the infection actions.\r\nPress enter or click to view image in full size\r\nThe loader makes some direct syscalls in order to bypass certain security solutions; in the image below,\r\nNtDelayExecution (which is used recurrently during the infection chain).\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 4 of 10\n\nPress enter or click to view image in full size\r\nHijackLoader will retrieve a PNG image from different image hosting services with the aim of recovering the next\r\nstage along with the corresponding malware family. The encrypted URIs, are listed below:\r\nhxxxs://i.ibb[.]co/MMdnckd/alcocain.png\r\nhxxxs://i.imgur[.]com/tGBX8NN.png\r\nhxxxs://files.catbox[.]moe/0qiisg.png\r\nPress enter or click to view image in full size\r\nThe images will be recovered via WinHTTPReadData. The following image shows, already in memory, the PNG\r\nfrom “i.imgur[.]com/tGBX8NN.png”\r\nPress enter or click to view image in full size\r\nThe way the loader retrieves the payload is as follows:\r\n1. Identifies a certain DWORD TAG within the image (0xC6A579EA). This TAG will serve as a starting\r\npoint to reconstruct the XOR’ed payload.\r\n2. Recovers and concatenates chunks of bytes separated by another ID (0x49444154).\r\n3. Decrypt, via XOR, the set of bytes previously concatenated using the DWORD located right after the TAG\r\nas a KEY.\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 5 of 10\n\n4. After applying the XOR, the resulting buffer will be decompressed (LZNT1) via RtlDecompressBuffer\r\n(COMPRESSION_FORMAT_LZNT1). The bytes that accompany the XOR KEY will determine the size\r\nof the compressed buffer and its uncompressed size.\r\nThe following image show the buffer with the header in which the TAG and the XOR key are located. At the\r\nbottom you can see the routine in charge of applying the encryption using the KEY (in the example:\r\n0xC5A2B15F).\r\nPress enter or click to view image in full size\r\nFinally, after applying the decryption, the payload embedded and compressed in the image will be recovered using\r\nRtlDecompressBuffer.\r\nPress enter or click to view image in full size\r\nThe following script was made to automate the extraction of the payloads of the different images during the\r\nanalysis.\r\nPress enter or click to view image in full size\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 6 of 10\n\nThe uncompressed buffer contains the configuration file, some of the HijackLoader’s modules described by\r\nNikolaos Pantazopoulos and certain shellcode that will orchestrate the infection process until the final payload is\r\nexecuted.\r\nPress enter or click to view image in full size\r\nFor example, the DLL highlighted in the configuration (“C:\\Windows\\SysWOW64\\mshtml.dll”) is used to do DLL\r\nStomping where the following stage is copied. After loading this DLL, it will invoke VirtualProtect function to\r\nmodify the .text section to RWX (PAGE_EXECUTE_READWRITE) permissions. Subsequently, it will proceed to\r\ncopy and write the next stage (one of the modules embedded in the previous buffer).\r\nPress enter or click to view image in full size\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 7 of 10\n\nAfter writing the shellcode, the permissions will be reset to RX and a jump to the new stage will be made (“call\r\nesi” in the following image). The previously described logic is shown below.\r\nPress enter or click to view image in full size\r\nThe new stage will create a new process from the legitimate binary “C:\\Windows\\Syswow64\\ftp.exe” in hidden\r\nmode (CREATE_NO_WINDOW flag) to inject the next stage.\r\nPress enter or click to view image in full size\r\nThe harmful code will force the “mshtml.dll” DLL to be loaded into the address space of the newly created\r\n“ftp.exe” process and will modify its .text section again to replace it with the last stage that will trigger the\r\nexecution of the final payload. Finally, after its copy, it will modify the context of its main thread to point to the\r\nnew payload vía NtSetContextThread.\r\nPress enter or click to view image in full size\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 8 of 10\n\nThe final payload is currently being analyzed. Yara is shared below for the described sample.\r\nrule HijackLoader{\r\nmeta:\r\n description = \"HijackLoader (Andorra Hotel campaign)\"\r\n author = \"@BorjaMerino (Alpine Security)\"\r\n version = \"1.0\"\r\n date = \"2023-09-18\"\r\nstrings:\r\n $x1 = {4? 39 ?? 89 ?? 74 ?? 0F B6 ?? ?? 18 30 ?? ?? 4? 83 ?? ?? B? 00 00 00 00 74 ?? 89 ?? EB ??}\r\n $x2 = {64 8B ?? 30 00 00 00 8B ?? 0C 83 ?? 0C}\r\n $x3 = {90 90 0F B7 ?? 01 ?? 0F B7 ?? 83 C? 02 66 85 ?? 74 ??}\r\n $x4 = {39 ?? 74 14 8D ?? 01 8B ?? 24 0C 8B ?? 24 39 ?? ?? 01 89 ?? 75 EA}\r\n $x5 = {90 90 31 ?? ?? 83 C? 04 39 ?? 72 f6}\r\ncondition:\r\n uint16(0) == 0x5A4D\r\n and uint16(uint32(0x3C)+0x18) == 0x010B\r\n and (pe.number_of_signatures \u003e 0)\r\n and (filesize \u003e 1MB and filesize \u003c 5MB)\r\n and 2 of ($x*)\r\n}\r\nReferencies\r\nStealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies\r\nTechnical Analysis of HijackLoader\r\nAlpine Security\r\nPress enter or click to view image in full size\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 9 of 10\n\nSource: https://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nhttps://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://alpine-sec.medium.com/hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3"
	],
	"report_names": [
		"hijackloader-targets-hotels-a-technical-analysis-c2795fc4f3a3"
	],
	"threat_actors": [],
	"ts_created_at": 1775791219,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fcca7fcd501477381987efdc8fc4d5ab3a91f4a3.pdf",
		"text": "https://archive.orkl.eu/fcca7fcd501477381987efdc8fc4d5ab3a91f4a3.txt",
		"img": "https://archive.orkl.eu/fcca7fcd501477381987efdc8fc4d5ab3a91f4a3.jpg"
	}
}