Zscaler ThreatLabz has published a technical analysis of SnappyClient, a C++-based C2 implant first observed in December 2025. The malware is delivered via HijackLoader and uses techniques including AMSI bypass, direct system calls, and process injection to evade detection. Once installed, it persists via scheduled tasks or registry autorun keys and encrypts C2 traffic with ChaCha20-Poly1305. Its capabilities include keylogging, screenshot capture, remote shell access, and credential theft from major browsers. The primary observed use case is cryptocurrency wallet theft, with campaigns impersonating Telefonica and using ClickFix social engineering for distribution. Researchers note possible code-level connections between SnappyClient and HijackLoader developers.
Sort: