Technical Analysis of SnappyClient

In December 2025 Zscaler ThreatLabz discovered SnappyClient, a C++-based command-and-control implant delivered via HijackLoader that provides remote access, keylogging, screenshot capture, browser/extension and application data theft, and targeted cryptocurrency theft. The implant uses multiple evasion techniques (AMSI bypass, Heaven’s Gate, direct syscalls, transacted hollowing), a custom ChaCha20-Poly1305 encrypted protocol, and configurable EventsDB/SoftwareDB payloads—strongly suggesting ties between SnappyClient and HijackLoader. #SnappyClient #HijackLoader

Keypoints

Zscaler ThreatLabz identified SnappyClient in December 2025, delivered primarily via HijackLoader and impersonated phishing pages targeting German-speaking users.
SnappyClient is a feature-rich C++ C2 implant that supports screenshots, keylogging, a remote shell, process and file operations, browser/profile cloning, extension theft, and other data-exfiltration capabilities.
The malware employs advanced evasion such as an AMSI bypass (hooks AmsiScanBuffer/AmsiScanString), Heaven’s Gate direct syscalls, and transacted hollowing for process injection and bypassing App‑Bound Encryption.
Configuration is delivered as embedded JSON plus two encrypted configuration files (EventsDB and SoftwareDB) that control triggers, targeted applications/extensions, and exfiltration actions.
Network communications use a custom TCP protocol with Snappy compression and ChaCha20-Poly1305 encryption; registration and control/data sessions are separated by control (p) and data (dp) ports.
Post-infection behavior indicates financial motive and crypto-focused targeting: clipboard/watch for Ethereum addresses, screenshots of crypto exchange windows, and theft targeting browsers, wallet extensions (Coinbase, Metamask, etc.), and crypto apps (Exodus, LedgerLive, TrezorSuite).
Zscaler detects the threat across its platform (Win32.Trojan.SnappyClient and Win32.Downloader.HijackLoader) and published IOCs including multiple SHA256 hashes and C2 IP:port pairs.

MITRE Techniques

[T1566 ] Phishing – Phishing pages are used to deliver the initial executable file. (‘Phishing pages are used to deliver the initial executable file’)
[T1204.002 ] User Execution: Malicious File – The victim executes the downloaded HijackLoader/SnappyClient payload. (‘The initial executable file is executed by the victim which leads to SnappyClient.’)
[T1562.001 ] Impair Defenses: Disable or Modify Tools – SnappyClient hooks AMSI APIs to force AMSI results to clean. (‘SnappyClient installs hooks on AMSI-related APIs as a part of evasion.’)
[T1140 ] Deobfuscate/Decode Files or Information – Network configuration and other payloads are stored and decoded from encrypted/obfuscated containers. (‘SnappyClient stores its network configuration details in an encrypted form.’)
[T1027 ] Obfuscated Files or Information – Important files and configuration streams are encrypted on disk using ChaCha20. (‘SnappyClient writes its important files to disk in an encrypted format using the ChaCha20 cipher.’)
[T1055 ] Process Injection – Uses transacted hollowing and injection techniques similar to HijackLoader to inject payloads and retrieve Chromium master keys. (‘SnappyClient uses transacted hollowing for injecting the payload.’)
[T1555 ] Credentials from Password Stores – Commands enable theft of saved browser passwords. (‘SnappyClient includes commands that enable theft of saved browser passwords.’)
[T1539 ] Steal Web Session Cookie – Commands support cookie theft from browsers. (‘SnappyClient includes commands that enable cookie theft.’)
[T1053.005 ] Scheduled Task – Attempts persistence via scheduled tasks when configured. (‘SnappyClient can establish persistence using scheduled tasks.’)
[T1547.001 ] Registry Run Keys / Startup Folder – Can fall back to registry autorun keys for persistence. (‘SnappyClient can establish persistence using scheduled registry run keys.’)
[T1010 ] Application Window Discovery – Uses window title filters to trigger actions based on active application windows. (‘SnappyClient includes commands that support application window discovery.’)
[T1057 ] Process Discovery – Supports enumerating and manipulating processes (suspend/resume/terminate). (‘SnappyClient includes commands that support process discovery.’)
[T1082 ] System Information Discovery – Registration message collects system information (RAM, CPU count, OS version, monitors, installed AV). (‘SnappyClient registration performs system information discovery.’)
[T1083 ] File and Directory Discovery – Commands list, search, archive, extract, copy, rename, and delete filesystem content. (‘SnappyClient includes commands that support file and directory discovery.’)
[T1056.001 ] Input Capture: Keylogging – Keylogger file collection and exfiltration supported. (‘SnappyClient includes commands that support keylogging.’)
[T1113 ] Screen Capture – Commands capture screenshots of specified monitors/foreground windows. (‘SnappyClient includes commands that support screen capture.’)
[T1115 ] Clipboard Data – Clipboard monitoring and replacement/exfiltration triggers (e.g., Ethereum address regex) are supported. (‘SnappyClient includes commands that support clipboard data collection.’)
[T1573 ] Encrypted Channel – All network communications use ChaCha20-Poly1305 encryption. (‘SnappyClient network communications are encrypted using ChaCha20-Poly1305.’)
[T1041 ] Exfiltration Over C2 Channel – Exfiltrates data (files, credentials, screenshots, clipboard) over its C2/data sessions. (‘SnappyClient exfiltrates victim data over its C2 channel.’)

Indicators of Compromise

[SHA256 ] SnappyClient samples – 61e103db36ebb57770443d9249b5024ee0ae4c54d17fe10c1d44e87e2fc5ee99, 23e2a0c25c95eebe1a593b27ac1b81a73b23ddad7617b3b11c69a89c3d49812e, and 4 more hashes.
[IP:Port ] C2 control and data sessions – 151.242.122.227:3333 (control), 151.242.122.227:3334 (data), 179.43.167.210:3333 (control), 179.43.167.210:3334 (data).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print