A dangerous new malware implant called SnappyClient has quietly emerged as a serious threat to Windows users, combining remote access, data theft, and sophisticated evasion techniques in one compact C++ package. <\/p>\n
First spotted in December 2025, this command-and-control (C2) framework implant can log keystrokes, take screenshots, launch a remote terminal, and pull sensitive data from browsers and applications \u2014 all while avoiding detection by security tools<\/a>.<\/p>\n The attack chain begins with a convincingly fake website impersonating Telef\u00f3nica, the well-known telecommunications company. German-speaking users who visit the page are automatically served a HijackLoader download. <\/p>\n Once the victim runs the file, HijackLoader decrypts and loads SnappyClient directly into memory. <\/p>\n A second delivery method was also observed in early February 2026, where attackers used a ClickFix trick shared via X (formerly Twitter), again dropping SnappyClient through GhostPulse and HijackLoader.<\/p>\n Zscaler ThreatLabz researchers identified SnappyClient<\/a> in December 2025 while tracking HijackLoader activity across their telemetry. Their analysis revealed that SnappyClient communicates with its C2 server over TCP using a fully custom protocol. <\/p>\n Every message is compressed with the Snappy algorithm and encrypted using ChaCha20-Poly1305, making network traffic significantly harder for defenders to inspect.<\/p>\n SnappyClient targets a wide range of applications for data theft. It goes after ten browsers including Chrome, Firefox, Edge, Opera, and Brave, harvesting saved passwords, session cookies, and full browser profiles. <\/p>\n The malware also hunts for cryptocurrency-related extensions such as MetaMask, Phantom, TronLink, Coinbase Wallet, and TrustWallet. Standalone crypto applications<\/a> including Exodus, Atomic, Electrum, and Ledger Live are targeted as well. <\/p>\n Network analysis confirmed that cryptocurrency theft is the primary financial goal driving these campaigns.<\/p>\n Beyond stealing data, SnappyClient supports reverse proxies for FTP, VNC, SOCKS5, and RLOGIN, giving attackers multiple pathways inside a victim\u2019s network. <\/p>\n It monitors clipboard content in real time, silently swapping out Ethereum wallet addresses to redirect crypto transactions<\/a>. <\/p>\n Two dynamic configuration files \u2014 EventsDB and SoftwareDB \u2014 are pushed by the C2 server to direct the implant on which applications to target and what actions to take, making it flexible without requiring redeployment.<\/p>\n What makes SnappyClient hard to stop is how efficiently it dismantles the security controls meant to catch it. From the moment it starts, the implant hooks Windows\u2019\u00a0 When detected, it patches\u00a0 To bypass user-mode API hooks placed by endpoint security products, SnappyClient uses Heaven\u2019s Gate, switching execution between 32-bit and 64-bit modes to issue direct system calls that skip the monitored API layers. <\/p>\n It also maps a clean copy of\u00a0 For persistence, SnappyClient first registers a scheduled task that fires at every user logon. If that fails, it writes an autorun entry under\u00a0 The implant copies itself to a configured path and launches from there, terminating the original process. <\/p>\n All sensitive files stored on disk \u2014 including the keylogger file, EventsDB, and SoftwareDB \u2014 are encrypted with ChaCha20, making forensic recovery considerably harder.<\/p>\n Users and organizations should avoid downloading executable files from unverified websites, even those appearing to represent known brands. <\/p>\n Security teams should monitor for unusual scheduled task creation and suspicious registry run key changes, as early warning signs of SnappyClient\u2019s persistence routine. <\/p>\n Endpoint detection<\/a> rules should cover Heaven\u2019s Gate execution patterns and transacted hollowing behavior. Keeping browsers updated lowers the risk of App-Bound Encryption bypass. Regularly auditing installed browser extensions \u2014 especially those linked to cryptocurrency wallets \u2014 is strongly recommended.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New SnappyClient Implant Combines Remote Access, Data Theft and Advanced Evasion<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjkMFOmt6RaBq4nKqFeQkZ6i7NUdc-H9OrNjKWzBoSWQjNDLIMbRTSm_AEy4GM-d-41Gr5yYfABhPgRkt0SEFv71oof60SlkkRzBnr44Pc4KdCGe9xymOMcA01x545dE2TfrwwTLH2OnhwNIPphCD8lX_bf_GvetnEhl5nkSdpbfPki5RSwc5kuXJYaDoY\/s16000\/Attack%2520chain%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjEgUkGavBsqFrk8_Q-O98uzJyeHMzEKgPLCjoDUsXa9BTWH5R537OZAN2N8ZfgWPjPzwjb9RGekxAw6QNKRo2bHO3hL53I4wCaIUw2saVV6sBNtIs4SVOmazZSPEuE6xCKCdDCGQz50Lb8eAVPhk6MqDejXMzm-mfAAu4JmAnX1t2720o-xaGNmkzjg0s\/s16000\/Fake%2520Telef%25C3%25B3nica%2520Website%2520Delivering%2520HijackLoader%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
Inside SnappyClient\u2019s Evasion and Persistence<\/strong><\/h2>\n
LoadLibraryExW<\/code>\u00a0function and monitors for any attempt to load\u00a0amsi.dll<\/code>. <\/p>\nAmsiScanBuffer<\/code>\u00a0and\u00a0AmsiScanString<\/code>\u00a0to always return a clean result, silently disabling Windows\u2019 Antimalware Scan Interface without raising any alerts.<\/p>\nntdll.dll<\/code>\u00a0into memory, accessing core Windows functions without interference. These patterns closely mirror HijackLoader\u2019s design, pointing to a likely connection between the developers of both tools.\u00a0<\/p>\n![\"API](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgJZ-ayyJ8tlBTAgo3Lns1dnp_ouE_HpdXxBDhn6nLpLafQpWgEnnqc5PFaM7vB8Q5aZC1RtWK3rW9MhNhoeHBoB7x7ORuUyK2iZPInYIvUE9Mb745syxglN7RhQVthNBf_96DI7sdsJRKI4czSo1rKIIxMQHhpBMWAuUjXvmGpnX0yyGqsjptM2lo9PSM\/s16000\/API%2520structure%2520layout%2520of%2520HijackLoader%2520and%2520SnappyClient%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
SoftwareMicrosoftWindowsCurrentVersionRun<\/code>. <\/p>\n