Pirated Downloads Mask Sophisticated Loader Malware Campaign

Cyber-security researchers have exposed a covert malware distribution effort exploiting pirated software download sites to deliver a modular loader known as HijackLoader, bypassing key defences such as ad-blockers and Microsoft Defender SmartScreen. The campaign has been traced to illegal download pages and SEO-poisoned sites that continue to evade detection, putting users at elevated risk.

HijackLoader, first identified in 2023, has rapidly evolved into a multi-module loader capable of deploying various malware payloads such as RedLine, Danabot and LummaC2 stealers. Recent technical analyses reveal the inclusion of advanced evasion features-call stack spoofing to disguise system calls, virtual machine detection to evade sandbox analysis and persistent installation via scheduled tasks-all designed to sidestep modern endpoint defences.

The infection chain begins when users access pirated game or software downloads hosted on compromised or purpose-built domains-occasionally masquerading as“safe” on piracy forums and bypassing tools like uBlock Origin. These downloads often contain malicious modules disguised within images or executables. Once initiated, the loader employs DLL side-loading or code injection techniques to insert itself into legitimate Windows processes such as explorer. exe, enabling stealthy execution.

In parallel, threat groups have exploited a known SmartScreen bypass vulnerability, CVE-2024-21412, by embedding malicious payloads within LNK or MSI files distributed through phishing campaigns or fake installers. Attack chains have targeted diverse audiences-from Spanish taxpayers to US logistics firms and Australian citizens under the guise of official documents-to deliver Stealers such as Lumma and Meduza. These attacks combine PowerShell, JavaScript and DLL side-loading, concluding with the deployment of IDAT loader components.

Investigations reveal that even after detection of malicious domains or tools like SmartScreen, the violence of cat-and-mouse tactics persists-threat actors shift to new domains, keeping pace with ad-blocker updates. In one instance, the domain“directsnap. click”, previously unblocked, was later denylisted; however, researchers warn that this does not render pirated download sites safe.

HijackLoader's newly added modules-namely ANTIVM, MUTEX, CUSTOMINJECT, modTask, PERSDATA, and SM-reflect a continuous enhancement of its anti-analysis, injection and persistence capabilities. Zscaler and others have noted its ability to integrate these modules seamlessly, maintaining effectiveness against modern defences.

The malware's arrival on pirated content platforms signals a significant shift: users who rely on ad-blockers or familiar torrent hubs may be lulled into a false sense of security. HijackLoader's use of SEO manipulation and poisoning ensures visibility in search results for cracked software, further expanding its reach.

This complex threat landscape underscores a pressing need for layered security approaches. Technical experts advise combining behavioural analysis and heuristic detection with robust user-education initiatives-emphasising the risks associated with pirated downloads and external installers. Many of the exploitation chains rely on giving the user control-clicking a link or installing software-highlighting the importance of awareness training.

MENAFN19082025000152002308ID1109945999