Update: Hijack Loader Upgraded with New Anti-Detection and Persistence Techniques
Hijack Loader, a malware loader active since 2023, has received significant updates to improve its stealth and persistence. One of the main changes is the introduction of call stack spoofing, which manipulates how function calls appear in memory to make it harder for defenders and security tools to trace malicious activity. The malware now fabricates stack frames to hide the origin of its system and API calls, allowing it to blend in with legitimate processes. In addition, Hijack Loader has added a module that performs checks for virtual machines and sandbox environments, helping it avoid being caught during automated malware analysis. These anti-analysis techniques are commonly used by loaders to prevent detection and slow down response efforts. These updates reinforce its role as a reliable delivery tool for second-stage payloads, often used to deploy stealers or remote access tools. Beyond evasion, the latest version introduces new persistence mechanisms and behavioral tweaks that show ongoing refinement by its operators. It now includes a modTask module that sets up scheduled tasks, automatically allowing the malware to run again after reboot or user logout. The malware has also updated its internal logic to check for and block specific security processes, with Avast Antivirus being a recent addition to its blocklist. If Avast is detected, the malware delays its execution by five seconds—an attempt to sidestep initial behavioral detection. These small but targeted changes demonstrate how Hijack Loader adapts to bypass security layers that rely on early process behavior and endpoint monitoring. The loader has previously been linked to campaigns that abuse code-signing certificates and use social engineering methods to deliver payloads, making it a flexible and dangerous threat. Its continued development suggests threat actors see long-term value in maintaining and evolving this loader for targeted attacks and broader malware distribution operations.
Update: FIN7 Deploys Lightweight Python-Based Anubis Backdoor for Remote Access
FIN7, a financially driven Russian threat actor, has been linked to a Python-based backdoor named Anubis, designed to provide full remote access to Windows systems. This tool is separate from the Android banking malware, which has the same name. Anubis is typically delivered through phishing emails containing ZIP archives, with payloads hosted on compromised SharePoint sites. The infection chain starts with a Python script that decrypts and executes an obfuscated backdoor directly in memory, avoiding disk-based detection. Once active, it communicates with a command-and-control server using Base64-encoded messages over a TCP socket. These messages allow attackers to perform various actions, including file transfers, registry modifications, DLL injection, and environmental data collection. The malware also has the ability to terminate itself, giving operators an easy exit when needed. What makes Anubis particularly dangerous is how lightweight and flexible it is. Instead of bundling in features like keylogging or password theft by default, the backdoor allows attackers to execute those actions remotely via shell commands. This reduces the malware’s footprint and helps it evade detection while giving the attacker full control over the system. FIN7 has a known history of shifting tactics and toolsets, and the use of Anubis aligns with their move toward stealthier, modular approaches to access and exfiltration. The group has also recently promoted tools like AuKill to kill endpoint protection, pointing to an expanding strategy focused on disabling defenses and extending dwell time. Anubis fits squarely into that playbook, offering a quiet but capable foothold into enterprise networks.
Gootloader Returns with Legal Template Lure and Google Ads Delivery
Gootloader is a multi-stage malware framework primarily used to deliver second-stage payloads such as ransomware, banking trojans, and post-exploitation tools. The malware has reemerged in a new campaign that blends its classic tactics with more modern distribution methods, this time using Google Ads to spread malware disguised as legal document templates. When users search for common forms—like NDAs or lease agreements—they’re served a sponsored ad that leads to a fake legal resource site. These sites appear polished and legitimate, asking visitors to submit an email address to receive the requested document. Victims are then emailed a ZIP file that looks like a standard legal document but contains a JavaScript file. Once executed, this script launches the infection chain, establishing persistence via scheduled tasks and leveraging PowerShell to contact C2 servers or download additional payloads. This approach reflects Gootloader's shift from relying on compromised WordPress sites to building out attacker-controlled infrastructure and weaponizing legitimate ad platforms. The malware continues to show high technical sophistication. It uses heavy obfuscation, inflated payloads, and embedding of malicious code inside known libraries to avoid detection. Its infection chain is staged and flexible, designed to deliver a range of follow-on payloads including ransomware, banking trojans, or penetration testing tools like Cobalt Strike. Using well-known legal templates adds social engineering credibility while placing malicious ads in Google search results increases the likelihood of victim engagement. Blocking domains tied to the campaign and reviewing historical network traffic for any contact with them is highly recommended. Organizations should also reinforce user awareness around downloading files from unverified sources and ensure endpoint defenses can detect script-based threats.
Quishing Attacks Surge as Threat Actors Exploit QR Code Trust
A new wave of phishing attacks is gaining traction through QR codes, a method called "quishing." Instead of traditional phishing emails with clickable links, attackers are embedding malicious URLs inside QR codes, tricking users into scanning them with their phones. This tactic allows the attack to bypass email filters and exploits mobile devices' generally weaker security posture. Victims are often redirected to phishing sites impersonating Microsoft 365 or SharePoint login pages with pre-filled user email fields to increase credibility. The campaigns span multiple industries—healthcare, energy, education, and more—and are heavily active in the U.S. and Europe. QR codes are commonly delivered through PDFs in phishing emails or printed materials, and attackers frequently use open redirect services to make the links appear legitimate while masking the true destination. What makes quishing particularly effective is its layered evasion strategy and increased personalization. Many phishing flows include human verification steps, like Cloudflare Turnstile, to bypass automated scanning tools and add a sense of legitimacy. Attackers validate credentials in real-time, only proceeding if the input matches their targeted list—suggesting prior reconnaissance. These phishing kits often reject incorrect credentials, revealing that the campaigns are selective and focused. Organizations can reduce exposure by blocking redirection abuse, monitoring DNS traffic for suspicious activity, and improving QR code hygiene in workplace settings. Security awareness training should now include the risks of scanning codes from unknown or unexpected sources, especially when tied to login requests or document downloads. Quishing is a clear example of attackers evolving tactics to exploit trust in everyday technology while sidestepping traditional defenses.
Open-Source “Prince Ransomware” Behind Devastating Attack on Taiwanese Hospital
A new threat has emerged with the abuse of “Prince Ransomware,” an open-source ransomware builder written in Go that was recently taken down from GitHub. Thanks to automated encryption features and customizable configurations, the tool enables anyone with basic technical knowledge to build working ransomware. Its misuse was recently spotlighted in an attack on Mackay Memorial Hospital in Taiwan, where attackers physically deployed the ransomware via USB, then moved laterally through the network, encrypting over 600 devices. This case illustrates the risk posed by free, public tools that can be weaponized at scale and used in targeted attacks with real-world consequences. The attackers used a toolkit bundled in a file named “bb2[.]zip,” which contained various utilities for ransomware deployment, lateral movement, and security evasion. Additional tools terminated antivirus software and monitored or deleted files during the infection. Multiple variants of ransomware created from the Prince ransomware toolkit platform have been spotted in the wild, showing how easily the builder can be repurposed. As this trend continues, defenders face increased pressure to adapt quickly to threats that no longer require the backing of major ransomware groups.
