New SnappyClient Implant Enables Remote Access, Data Theft, and Stealth

In December 2025, security researchers at Zscaler ThreatLabz found a new command-and-control (C2) framework implant called SnappyClient This article explores snappyclient hackers use. . Hackers use the HijackLoader malware to send this bad tool.

Once SnappyClient is installed, hackers can do a lot of things with the victim's computer. It can take screenshots, record keystrokes, open a remote terminal, and steal private information from web browsers and other programs. Tactics for Attack Chains and Evasion The use of SnappyDeceptive websites are often the first thing a client sees. In one campaign that was watched, attackers made a fake website that looked like the website of Telefónica, a big telecommunications company.

The site was aimed at German-speaking users by showing realistic product features and branding. The HijackLoader executable automatically downloaded to the victim's computer when they went to the page.

If the user opened the file, HijackLoader decrypted it and started SnappyClient. Researchers also saw SnappyClient being shared on social media using a GhostPulse and ClickFix intrusion chain. SnappyClient uses advanced tricks to avoid being found by security software.

It changes the way the system looks for harmful code, which makes the Antimalware Scan Interface (AMSI) skip it and always say the process is clean. Heaven's Gate, direct system calls, and transactional hollowing are some of the ways the malware hides what it's doing so that endpoint detection systems don't go off. It also checks to see if a device is on a "banned" list so that it doesn't run in security research environments.

Example attack chain of a campaign that sends SnappyClient (Source: zscaler) Configuration and Network Communication: SnappyClient uses plaintext JSON configuration that is hidden in its code. This setup file tells the malware what to do, like where to put stolen data and how to stay on the computer even after it restarts. When the implant is turned on, it connects to its C2 server and downloads two encrypted databases: EventsDB and SoftwareDB.

EventsDB tells the malware what to do when certain conditions are met, like stealing clipboard data if it matches a certain pattern. SoftwareDB gives a list of certain web browsers and apps that hackers can use to steal data.

Example of a website pretending to be a telecom company Telefónica sending HijackLoader that drops SnappyClient (Source: zscaler) The malware uses a very secure, custom TCP network protocol to talk to its server. The ChaCha20-Poly1305 algorithm compresses and encrypts all messages so that defenders can't read the network traffic. When the malware first connects, it sends the attackers a long message to register.

Registration Data Collected Description System Identity A computer name, a username, and a unique system ID. Specifications for the hardware Information about the total amount of RAM, the number of processors, and the display monitor. Windows version of the software environment, installed antivirus tools, and targeted applications. Metrics for Activity The title of the active window and the amount of time that has passed since the last user input.

The server can give different commands after you register.

Attackers can take screenshots, control running processes, or look through the victim's files. Zscaler malware even has a built-in compression tool that uses the 7-Zip library to secretly store and extract files before stealing them. SnappyClient is a very powerful tool for modern cyber espionage and data theft because it has so many features.