Cyber-security researchers have exposed a covert malware distribution effort exploiting pirated software download sites to deliver a modular loader known as HijackLoader, bypassing key defences such as ad-blockers and Microsoft Defender SmartScreen. The campaign has been traced to illegal download pages and SEO-poisoned sites that continue to evade detection, putting users at elevated risk.
HijackLoader, first identified in 2023, has rapidly evolved into a multi-module loader capable of deploying various malware payloads such as RedLine, Danabot and LummaC2 stealers. Recent technical analyses reveal the inclusion of advanced evasion features—call stack spoofing to disguise system calls, virtual machine detection to evade sandbox analysis and persistent installation via scheduled tasks—all designed to sidestep modern endpoint defences.
The infection chain begins when users access pirated game or software downloads hosted on compromised or purpose-built domains—occasionally masquerading as “safe” on piracy forums and bypassing tools like uBlock Origin. These downloads often contain malicious modules disguised within images or executables. Once initiated, the loader employs DLL side-loading or code injection techniques to insert itself into legitimate Windows processes such as explorer. exe, enabling stealthy execution.
In parallel, threat groups have exploited a known SmartScreen bypass vulnerability, CVE-2024-21412, by embedding malicious payloads within LNK or MSI files distributed through phishing campaigns or fake installers. Attack chains have targeted diverse audiences—from Spanish taxpayers to US logistics firms and Australian citizens under the guise of official documents—to deliver Stealers such as Lumma and Meduza. These attacks combine PowerShell, JavaScript and DLL side-loading, concluding with the deployment of IDAT loader components.
Investigations reveal that even after detection of malicious domains or tools like SmartScreen, the violence of cat-and-mouse tactics persists—threat actors shift to new domains, keeping pace with ad-blocker updates. In one instance, the domain “directsnap. click”, previously unblocked, was later denylisted; however, researchers warn that this does not render pirated download sites safe.
HijackLoader’s newly added modules—namely ANTIVM, MUTEX, CUSTOMINJECT, modTask, PERSDATA, and SM—reflect a continuous enhancement of its anti-analysis, injection and persistence capabilities. Zscaler and others have noted its ability to integrate these modules seamlessly, maintaining effectiveness against modern defences.
The malware’s arrival on pirated content platforms signals a significant shift: users who rely on ad-blockers or familiar torrent hubs may be lulled into a false sense of security. HijackLoader’s use of SEO manipulation and poisoning ensures visibility in search results for cracked software, further expanding its reach.
This complex threat landscape underscores a pressing need for layered security approaches. Technical experts advise combining behavioural analysis and heuristic detection with robust user-education initiatives—emphasising the risks associated with pirated downloads and external installers. Many of the exploitation chains rely on giving the user control—clicking a link or installing software—highlighting the importance of awareness training.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
