In late 2025, researchers identified a previously undocumented command-and-control (C2) malware framework now referred to as SnappyClient. This threat is typically deployed through a loader known as HijackLoader and is designed to provide attackers with remote access, surveillance capabilities, and extensive data exfiltration functions.
SnappyClient is written in C++ and demonstrates a strong focus on stealth, persistence, and financial gain—particularly targeting cryptocurrency-related assets. The malware incorporates advanced evasion methods and encrypted communications, making detection and analysis significantly more difficult.
Key Findings
SnappyClient operates as a multifunctional implant capable of logging keystrokes, capturing screenshots, executing commands remotely, and extracting sensitive information from browsers and applications. It avoids detection using several techniques such as bypassing AMSI protections, leveraging direct system calls, and performing process injection using transacted hollowing.
The malware retrieves multiple configurations from its C2 infrastructure. These configurations define behavioral rules, targeted applications, and data collection strategies. Communication between the infected host and the attacker is secured using ChaCha20-Poly1305 encryption, ensuring confidentiality of transmitted data.
Infection Chain Overview
The infection typically begins with a fake website impersonating a telecom provider, often targeting German-speaking users. When a victim accesses the site, a malicious executable is silently downloaded. If executed, this file loads HijackLoader, which then decrypts and launches SnappyClient.
Other delivery methods have also been observed, including social media-based infection chains leveraging techniques such as ClickFix.
Technical Breakdown
Configuration and Behavior
SnappyClient contains embedded configuration data in JSON format. This includes identifiers, file paths, persistence mechanisms, and targeting logic. It also downloads additional encrypted configuration files that define specific attack actions and software targets.
The malware checks whether a system is “banned” before execution and ensures only the latest version runs using shared memory control.
Capabilities
SnappyClient supports a wide range of attacker-controlled actions, including:
- Screenshot capture and monitoring of active windows
- Clipboard inspection and manipulation
- Keylogging and file system exploration
- Browser credential and cookie theft
- Execution of arbitrary commands or files
- Remote shell access and hidden VNC sessions
It specifically targets browsers, crypto wallets, and extensions such as MetaMask and Coinbase.
Network Communication
The malware uses a custom TCP-based protocol for communication. All data is compressed and encrypted before transmission. It maintains a primary control session and can spawn multiple data sessions for file transfers and exfiltration.
Initial communication includes system profiling data such as username, OS version, installed software, and hardware details.
Post-Infection Activity
Analysis shows a strong focus on cryptocurrency theft. The malware monitors clipboard data for wallet addresses and observes activity on platforms like Binance and Coinbase. When such activity is detected, it captures screenshots and exfiltrates relevant data.
Link to HijackLoader
Code-level similarities strongly suggest a relationship between SnappyClient and HijackLoader. Both share similar API structures, injection techniques, and syscall implementations. Additionally, HijackLoader appears to be the exclusive delivery mechanism observed so far.
Indicators of Compromise (IOCs)
- Multiple SHA256 hashes associated with different versions
- C2 servers identified on ports 3333 (control) and 3334 (data)
- Known malicious IPs include 151.242.122.227 and 179.43.167.210
MITRE ATT&CK Mapping
The malware aligns with several ATT&CK techniques, including phishing (T1566), process injection (T1055), credential theft (T1555), encrypted communication (T1573), and data exfiltration (T1041).
CyberP1 Opinion
From a defensive standpoint, SnappyClient represents a notable evolution in modern cybercrime tooling. What makes this threat particularly concerning is not just its feature set, but the level of coordination and engineering behind it. The integration with HijackLoader suggests a modular ecosystem where different malware components are developed and maintained separately, yet operate seamlessly together. This reflects a professionalized cybercrime model rather than isolated malicious activity.
The malware’s emphasis on cryptocurrency targeting is also significant. Instead of broadly harvesting data, it focuses on high-value assets such as wallets, browser extensions, and trading platforms. This indicates a clear monetization strategy. The use of clipboard monitoring for wallet addresses is especially clever, as it exploits user behavior in real time rather than relying solely on stored credentials.
Another critical observation is the depth of its evasion techniques. By bypassing AMSI, using direct syscalls, and encrypting all communications, SnappyClient reduces its visibility across traditional endpoint detection systems. This makes it harder for organizations relying only on signature-based or basic behavioral detection to identify infections.
The layered configuration system also adds flexibility for attackers. By dynamically updating EventsDB and SoftwareDB, operators can change targets or behavior without redeploying the malware. This adaptability increases the lifespan and effectiveness of campaigns.
However, despite its sophistication, there are still opportunities for detection. Network-level monitoring, especially for unusual encrypted traffic patterns or connections to known malicious IPs, remains a viable defense. Additionally, behavioral anomalies such as unexpected process injections or unauthorized browser data access can serve as indicators.
Overall, SnappyClient highlights the growing complexity of financially motivated malware. Organizations must move beyond traditional defenses and adopt multi-layered security approaches, including threat intelligence integration, behavioral analytics, and zero-trust principles. Without these, threats like SnappyClient can operate undetected for extended periods, leading to significant financial and data loss.
