{"id":22298,"date":"2024-05-30T10:23:43","date_gmt":"2024-05-30T08:23:43","guid":{"rendered":"https:\/\/www.defencetech.it\/?p=22298"},"modified":"2025-06-10T10:03:34","modified_gmt":"2025-06-10T08:03:34","slug":"hijackloader","status":"publish","type":"post","link":"https:\/\/tinextadefence.it\/en\/hijackloader\/","title":{"rendered":"HijackLoader\u00a0"},"content":{"rendered":"

During an OSINT activity, our Malware Lab spotted a suspicious website offering the download of a ZIP file via a MediaFire link.\u00a0<\/p>\r\n\r\n\r\n\r\n

This ZIP file contained a legitimate executable signed by CISCO that, when executed, displayed malicious behaviour.\u00a0<\/p>\r\n\r\n\r\n\r\n

Inside the initial ZIP file was a second ZIP file protected by a password provided on the website.\u00a0<\/p>\r\n\r\n\r\n\r\n

Both ZIP files had names with special characters. The second ZIP file contained several files, including a malicious DLL and an executable called 'setup.exe'.\u00a0<\/p>\r\n\r\n\r\n\r\n

Although 'setup.exe' was legitimate and signed by CISCO, running it on a dynamic analysis platform (AnyRun), malicious behaviour was observed.\u00a0<\/p>\r\n\r\n\r\n\r\n

This happens because during execution the executable is infected by one of the DLLs included in the ZIP file, through a technique known as DLL side-loading.\u00a0<\/p>\r\n\r\n\r\n\r\n

The infection chain involves HijackLoader, a malware loader used to distribute payloads through evasive techniques. The sample analysed by the Malware Lab distributes Vidar, a malware that collects credentials from various application profiles, banking details and information on two-factor authentication (2FA) software and Tor Browser.\u00a0<\/p>\r\n\r\n\r\n\r\n

This report illustrates how DLL side-loading is exploited to execute unauthorised code from a legitimate installer, highlighting the infection chain that leads to the installation of HijackLoader and Vidar.\u00a0<\/p>\r\n\r\n\r\n\r\n

If you wish to learn more, here is the link to our full report<\/a><\/strong>.<\/p>\r\n\r\n\r\n\r\n

In addition, you can subscribe to the specific mailing list Cyber Studios by Tinexta Defence<\/b>, to receive updates on upcoming research: <\/span>https:\/\/tinextadefence.it\/mailing-list-cyber-studios\/<\/span><\/a><\/p>","protected":false},"excerpt":{"rendered":"

During an OSINT activity, our Malware Lab spotted a suspicious website offering the download of a ZIP file via a MediaFire link. This ZIP file contained a legitimate executable signed by CISCO that, when executed, displayed malicious behaviour. Within the initial ZIP file was a second ZIP file protected by [...].<\/p>","protected":false},"author":2,"featured_media":26257,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[102],"tags":[110],"class_list":["post-22298","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tinextadefencebusiness","tag-articoli"],"acf":[],"yoast_head":"\nHijackLoader\u00a0 - Tinexta Defence<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/tinextadefence.it\/en\/hijackloader\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HijackLoader\u00a0 - Tinexta Defence\" \/>\n<meta property=\"og:description\" content=\"Durante un’attivit\u00e0 OSINT, il nostro Malware Lab ha individuato un sito web sospetto che offriva il download di un file ZIP tramite un link MediaFire.\u00a0 Questo file ZIP conteneva un eseguibile legittimo firmato da CISCO che, una volta eseguito, mostrava comportamenti dannosi.\u00a0 All’interno del file ZIP iniziale era presente un secondo file ZIP protetto da […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tinextadefence.it\/en\/hijackloader\/\" \/>\n<meta property=\"og:site_name\" content=\"Tinexta Defence\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-30T08:23:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-10T08:03:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Simone Sorte\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simone Sorte\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/\"},\"author\":{\"name\":\"Simone Sorte\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941\"},\"headline\":\"HijackLoader\u00a0\",\"datePublished\":\"2024-05-30T08:23:43+00:00\",\"dateModified\":\"2025-06-10T08:03:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/\"},\"wordCount\":252,\"publisher\":{\"@id\":\"https:\/\/tinextadefence.it\/#organization\"},\"image\":{\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"keywords\":[\"Articoli\"],\"articleSection\":[\"#TDefenceBusiness\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/\",\"url\":\"https:\/\/tinextadefence.it\/hijackloader\/\",\"name\":\"HijackLoader\u00a0 - Tinexta Defence\",\"isPartOf\":{\"@id\":\"https:\/\/tinextadefence.it\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"datePublished\":\"2024-05-30T08:23:43+00:00\",\"dateModified\":\"2025-06-10T08:03:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tinextadefence.it\/hijackloader\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage\",\"url\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"contentUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"width\":1200,\"height\":640,\"caption\":\"Immagine in evidenza astratta per gli articoli di Tinexta Defence\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tinextadefence.it\/hijackloader\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/tinextadefence.it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HijackLoader\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tinextadefence.it\/#website\",\"url\":\"https:\/\/tinextadefence.it\/\",\"name\":\"Tinexta Defence\",\"description\":\"think next, protect now\",\"publisher\":{\"@id\":\"https:\/\/tinextadefence.it\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/tinextadefence.it\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/tinextadefence.it\/#organization\",\"name\":\"Tinexta Defence\",\"url\":\"https:\/\/tinextadefence.it\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png\",\"contentUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png\",\"width\":2000,\"height\":990,\"caption\":\"Tinexta Defence\"},\"image\":{\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941\",\"name\":\"Simone Sorte\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g\",\"caption\":\"Simone Sorte\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HijackLoader - Tinexta Defence","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/tinextadefence.it\/en\/hijackloader\/","og_locale":"en_GB","og_type":"article","og_title":"HijackLoader\u00a0 - Tinexta Defence","og_description":"Durante un’attivit\u00e0 OSINT, il nostro Malware Lab ha individuato un sito web sospetto che offriva il download di un file ZIP tramite un link MediaFire.\u00a0 Questo file ZIP conteneva un eseguibile legittimo firmato da CISCO che, una volta eseguito, mostrava comportamenti dannosi.\u00a0 All’interno del file ZIP iniziale era presente un secondo file ZIP protetto da […]","og_url":"https:\/\/tinextadefence.it\/en\/hijackloader\/","og_site_name":"Tinexta Defence","article_published_time":"2024-05-30T08:23:43+00:00","article_modified_time":"2025-06-10T08:03:34+00:00","og_image":[{"width":1200,"height":640,"url":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","type":"image\/jpeg"}],"author":"Simone Sorte","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Simone Sorte","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/tinextadefence.it\/hijackloader\/#article","isPartOf":{"@id":"https:\/\/tinextadefence.it\/hijackloader\/"},"author":{"name":"Simone Sorte","@id":"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941"},"headline":"HijackLoader\u00a0","datePublished":"2024-05-30T08:23:43+00:00","dateModified":"2025-06-10T08:03:34+00:00","mainEntityOfPage":{"@id":"https:\/\/tinextadefence.it\/hijackloader\/"},"wordCount":252,"publisher":{"@id":"https:\/\/tinextadefence.it\/#organization"},"image":{"@id":"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage"},"thumbnailUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","keywords":["Articoli"],"articleSection":["#TDefenceBusiness"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/tinextadefence.it\/hijackloader\/","url":"https:\/\/tinextadefence.it\/hijackloader\/","name":"HijackLoader - Tinexta Defence","isPartOf":{"@id":"https:\/\/tinextadefence.it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage"},"image":{"@id":"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage"},"thumbnailUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","datePublished":"2024-05-30T08:23:43+00:00","dateModified":"2025-06-10T08:03:34+00:00","breadcrumb":{"@id":"https:\/\/tinextadefence.it\/hijackloader\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tinextadefence.it\/hijackloader\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/tinextadefence.it\/hijackloader\/#primaryimage","url":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","contentUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","width":1200,"height":640,"caption":"Immagine in evidenza astratta per gli articoli di Tinexta Defence"},{"@type":"BreadcrumbList","@id":"https:\/\/tinextadefence.it\/hijackloader\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/tinextadefence.it\/"},{"@type":"ListItem","position":2,"name":"HijackLoader\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/tinextadefence.it\/#website","url":"https:\/\/tinextadefence.it\/","name":"Tinexta Defence","description":"think next, protect now","publisher":{"@id":"https:\/\/tinextadefence.it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/tinextadefence.it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/tinextadefence.it\/#organization","name":"Tinexta Defence","url":"https:\/\/tinextadefence.it\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/","url":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png","contentUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png","width":2000,"height":990,"caption":"Tinexta Defence"},"image":{"@id":"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941","name":"Simone Sorte","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/tinextadefence.it\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g","caption":"Simone Sorte"}}]}},"_links":{"self":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/posts\/22298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/comments?post=22298"}],"version-history":[{"count":0,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/posts\/22298\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/media\/26257"}],"wp:attachment":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/media?parent=22298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/categories?post=22298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/tags?post=22298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}