This method manipulates the stack frames to hide malicious activity by replacing actual return addresses with addresses from legitimate system DLLs, making it difficult for security tools to identify suspicious function calls. Zscaler researchers identified several new modules in HijackLoader’s arsenal, including call stack spoofing to mask function call origins, anti-VM checks to detect analysis environments, and persistence mechanisms via scheduled tasks. HijackLoader, a sophisticated malware loader initially discovered in 2023, has evolved with new advanced modules designed to evade security detection and analysis. Also known as IDAT Loader and GHOSTPULSE, this modular malware not only delivers second-stage payloads but also employs various techniques to bypass security software, inject code, and establish persistence on infected systems. When executing sensitive operations, the malware retrieves return address pointers from stack frames and patches them with random addresses from legitimate DLLs specified in the SM module. The implementation of these advanced evasion techniques signals a concerning trend in malware sophistication, highlighting the need for multi-layered security approaches that can detect such stealthy threats. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. HijackLoader implements call stack spoofing by using the base pointer register (EBP) to navigate the stack through a chain of EBP pointers. These modules primarily focus on configuration information, security evasion, and code execution functionalities. One of the most notable additions is the call stack spoofing technique, which effectively conceals the source of API and system calls.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 01 Apr 2025 13:45:04 +0000