HijackLoader is a sophisticated malware loader first identified in the wild in July 2023. Security researchers track it under multiple names — DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER — but they all refer to the same threat family designed to bypass modern security software and deliver secondary payloads onto compromised Windows systems. What makes this loader particularly dangerous is its use of advanced evasion techniques that hide malicious code inside seemingly harmless image files and exploit legitimate Windows processes to avoid detection.
Think you're infected right now? If you're experiencing unexplained system slowdowns, security software that won't start, or connections to unfamiliar domains, disconnect from the internet immediately and call Computer Repair Roswell at (770) 856-1639. HijackLoader often downloads additional malware, and every minute counts. Do not attempt online banking or enter passwords until the system is professionally cleaned.

Threat Profile

Canonical NameHijackLoader
Known AliasesDOILoader, GHOSTPULSE, IDAT Loader, SHADOWLADDER
PlatformWindows (all modern versions)
File TypeWindows PE executable (often disguised)
First ObservedJuly 2023
Primary FunctionMalware loader/dropper for secondary payloads
Evasion TechniquesProcess Doppelgänging, DLL Search Order Hijacking, Heaven's Gate, PNG steganography
Typical Payload StorageIDAT chunks within PNG image files
Detection DifficultyHigh — designed specifically to evade endpoint security
Commercial UseOffered on underground forums as malware-as-a-service
Common Secondary PayloadsInformation stealers, ransomware, banking trojans
Update FrequencyActive development observed through 2024-2025

How It Spreads

HijackLoader typically arrives through multi-stage infection chains rather than direct user downloads. Attackers package the loader inside ZIP archives or disguise it as legitimate software installers, often distributed through malicious advertising campaigns or compromised websites. The initial dropper is usually a small executable that downloads the actual loader components from attacker-controlled infrastructure. What sets HijackLoader apart from simpler malware is its deliberate use of trusted Windows processes and file formats. The loader hides its malicious payload inside PNG image files — actual image files that will display normally in any photo viewer. This technique, called steganography, allows the malware to pass through email filters and evade simple file-type blocking. When the loader executes, it extracts the hidden code from the PNG's IDAT data chunk and injects it into a legitimate Windows process. Common distribution methods include: - **Malicious advertisements (malvertising)** on legitimate websites, particularly targeting users searching for software downloads - **Software bundling** with pirated applications, game cracks, or "free" versions of commercial tools - **Phishing emails** with ZIP attachments containing the loader disguised as invoices, shipping notices, or tax documents - **Drive-by downloads** from compromised WordPress sites or injected advertising networks - **SEO poisoning** where attackers create fake download sites that rank highly for popular software searches - **Supply chain compromise** through infected software update mechanisms or third-party installer packages

What It Does On Your Machine

Once HijackLoader executes, it begins a carefully orchestrated process to establish persistence and download additional malware while avoiding detection. The loader employs a technique called "Process Doppelgänging" — a method that creates a seemingly legitimate Windows process in memory, then secretly replaces its contents with malicious code before the process fully starts. To most security software, it looks like a normal system process launching, but the actual code running is controlled by the attacker. HijackLoader also exploits DLL Search Order Hijacking, a Windows behavior where applications look for required library files in predictable locations. By placing a malicious DLL in a location Windows checks before the legitimate system directory, the loader can inject itself into trusted processes without triggering alerts. On 64-bit systems, the malware may use "Heaven's Gate" — a technique that allows 32-bit malware to directly execute 64-bit code, bypassing security hooks that monitor standard system calls. The loader establishes multiple persistence mechanisms to survive reboots. It modifies registry keys that control which programs launch at startup, creates scheduled tasks that re-execute the malware at intervals, and may install itself as a Windows service. Because the malicious payload remains hidden in PNG files that appear harmless, traditional antivirus scans often miss the threat even when the image file is present on disk.
Typical file locations and registry modifications (observed in sandbox): C:\Users\[username]\AppData\Local\Temp\installer.exe ← Initial dropper C:\Users\[username]\AppData\Roaming\SystemData\config.png ← Malicious payload hidden in PNG C:\Windows\System32\legitimate.exe ← Hijacked process target Registry modifications: HKCU\Software\Microsoft\Windows\CurrentVersion\Run "SystemUpdate" = "C:\Users\[username]\AppData\Roaming\svchost.exe" HKLM\SYSTEM\CurrentControlSet\Services\[randomname] Type = 0x00000010 ← Win32_OwnProcess service Start = 0x00000002 ← Automatic startup Network behavior: DNS queries to attacker domains for command-and-control HTTPS connections downloading secondary malware payloads Beacon traffic every 10-60 minutes to maintain C2 connection
After establishing itself, HijackLoader's primary job is to download and execute additional malware. This secondary payload varies based on the attacker's goals — it might be an information stealer targeting browser passwords and cryptocurrency wallets, a banking trojan monitoring financial transactions, or ransomware that encrypts your files. Because the loader architecture separates the initial infection from the final payload, attackers can change what gets delivered without modifying the loader itself.

Manual Removal — Step by Step

01

Disconnect from the Internet

Unplug your ethernet cable or disable WiFi immediately. HijackLoader communicates with command-and-control servers to download additional payloads, and cutting network access prevents further infection. This is the most important first step — do it before anything else.

HijackLoader — cybersecurity illustration
Photo by Miguel Á. Padriñán on Pexels
02

Boot into Safe Mode with Networking

Restart your computer and press F8 repeatedly during boot (Windows 10/11: hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart > press 4 or F4). Safe Mode loads only essential drivers, preventing most malware from executing its persistence mechanisms.

03

Check Startup Programs and Services

Press Windows+R, type "msconfig", and hit Enter. Under the "Startup" tab, look for unfamiliar entries, especially those with Publisher listed as "Unknown" or with random character names. Under "Services", check "Hide all Microsoft services", then look for suspicious entries. Uncheck anything suspicious but document what you disable — you may need this information later.

04

Examine Scheduled Tasks

Open Task Scheduler (search for it in the Start menu). Navigate through Task Scheduler Library and look for tasks you didn't create, especially those that run executables from AppData folders or have triggers set to run at logon or on a schedule. Right-click and disable (not delete yet) any suspicious tasks. HijackLoader commonly uses scheduled tasks for persistence.

05

Scan with Multiple Tools

Download Malwarebytes and Kaspersky TDSS Killer on a clean computer, transfer them via USB, and run full scans in Safe Mode. No single scanner catches everything with sophisticated loaders. Let each complete fully — this may take 2-4 hours. Quarantine or delete all detected threats. After the scan, temporarily reconnect to the internet (still in Safe Mode) to update the scanner definitions, then scan again.

06

Manually Search for PNG Files in Suspicious Locations

Navigate to C:\Users\[YourUsername]\AppData\Local and C:\Users\[YourUsername]\AppData\Roaming. Look for PNG image files in unexpected locations, especially in folders with generic names like "SystemData", "Updates", or random character strings. Be cautious — these appear as normal images when viewed, but check file creation dates against when you might have been infected.

07

Clean Registry Persistence Keys

Press Windows+R, type "regedit", and hit Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to executables in AppData folders or with unfamiliar names. Right-click and delete suspicious entries, but export them first as a backup (File > Export). Check the same paths under \RunOnce as well.

08

Check Browser Extensions and Reset Browser Settings

HijackLoader often delivers browser-hijacking malware as a secondary payload. In each installed browser, check installed extensions and remove anything unfamiliar. Then reset browser settings to default — in Chrome/Edge this is under Settings > Reset settings > Restore settings to their original defaults. This removes malicious search engine changes and homepage hijacks.

09

Update All Software and Windows

Before returning to normal use, ensure Windows is fully updated (Settings > Update & Security > Windows Update). Update all installed applications, especially Java, Adobe products, and browsers. HijackLoader often exploits outdated software vulnerabilities, and patching these closes the doors attackers used initially.

10

Monitor for 72 Hours and Consider Full Reinstall

After removal, monitor your system for three days. Watch for unusual CPU usage, unexpected network activity, or security software being disabled. Check Task Manager regularly for unfamiliar processes. Given HijackLoader's sophistication and its purpose of delivering additional malware, the safest approach is often a complete Windows reinstall from trusted installation media. If you had sensitive data on the system or conducted financial transactions while infected, consider the machine compromised until professionally cleaned or rebuilt.

Prevention

  1. Download software only from official sources. Never use third-party download sites, torrent trackers, or "free download" websites for commercial software. HijackLoader commonly arrives bundled with pirated applications or through malicious download portals that rank highly in search results but distribute infected installers.
  2. Keep Windows and all applications updated. Enable automatic updates for Windows, and regularly check for updates to Java, Adobe Reader, browsers, and other common applications. Many loader infections exploit known vulnerabilities in outdated software that attackers know most users haven't patched.
  3. Use reputable antivirus with behavior-based detection. Traditional signature-based detection often misses HijackLoader because it constantly evolves. Choose security software that includes behavioral analysis, sandboxing, and heuristic detection. Keep it updated and actually run scheduled scans — don't just install it and ignore the warnings.
  4. Examine email attachments carefully. Never open ZIP files or executable attachments from unexpected emails, even if they appear to come from known contacts. Verify suspicious emails by contacting the sender through a different communication method. Be especially wary of attachments claiming to be invoices, shipping notices, or urgent account notifications.
  5. Use standard user accounts for daily work. Don't browse the web or open email while logged in as an administrator. Create a standard user account for everyday use. This limits malware's ability to modify system files and registry keys, making infection more difficult and reducing the damage if infection occurs.
  6. Enable Windows Defender Attack Surface Reduction rules. If you use Windows 10/11 Pro, enable ASR rules through Group Policy or PowerShell. These rules block common malware behaviors like executable content in email clients, Office macros, and script-based attacks. They're particularly effective against loader malware that relies on specific execution chains.
  7. Implement application whitelisting where possible. For business environments or technically savvy users, configure Windows to only run executables from approved locations. This prevents loaders from executing out of temporary folders or AppData directories where they typically land.
  8. Be cautious with browser extensions and plugins. Only install browser extensions from official stores and review permissions carefully. Remove extensions you don't actively use. HijackLoader often delivers browser-hijacking malware that starts with a malicious extension, then escalates to system-level infection.
Our 90-Day Warranty
When Computer Repair Roswell removes HijackLoader and associated infections from your system, we back our work with a 90-day warranty. If the same malware returns within that period, we'll clean it again at no charge. We don't just delete files — we trace the infection chain, identify persistence mechanisms, and ensure the threat is completely eliminated. That's the difference between a band-aid and a cure.

Bring It In

HijackLoader represents a category of threat that's difficult for end users to remove completely without specialized tools and expertise. The loader's use of process injection, hidden payloads in image files, and multiple persistence mechanisms means that one missed component allows the entire infection to regenerate. We've seen too many cases where someone thought they'd cleaned their system, only to have the malware return days later and download ransomware that encrypted irreplaceable family photos and business documents. Computer Repair Roswell has successfully removed HijackLoader infections and the secondary malware it delivers. We use professional-grade scanning tools, manual analysis techniques, and threat intelligence to ensure complete removal. If you're in the Roswell area and dealing with suspicious system behavior, persistent pop-ups, disabled security software, or unexplained network activity, bring your machine to our shop at 1553 Warsaw Road or call us at (770) 856-1639. We'll diagnose the infection, explain exactly what we find, and give you a clear price before we start work. Most malware removals are completed within 24-48 hours, and we'll have you back up and running safely.