Threat Actors Use Pirated Games to Bypass Microsoft Defender SmartScreen and Adblockers

Cybersecurity researchers have uncovered a sophisticated campaign where threat actors leverage pirated game downloads to distribute HijackLoader, a modular malware loader, effectively bypassing common defenses like adblockers and Microsoft Defender SmartScreen.

Sites such as Dodi Repacks, often deemed “safe” on piracy forums when used with tools like uBlock Origin, serve as vectors for this malware.

Users attempting to download cracked games are redirected through domains like zovo[.]ink and downf[.]lol to MEGA-hosted ZIP archives containing nested .7z files.

These archives disguise malicious payloads within seemingly legitimate files, such as oversized DLLs like DivXDownloadManager.dll, which exceed sandbox upload limits to evade automated analysis.

Malware Distribution Through Piracy Networks

Despite adblockers, the infection chain proceeds, debunking claims that such tools provide adequate protection.

Analysis reveals that the malware employs module stomping on system DLLs like shell32.dll, decrypting configurations from files like quintillionth.ppt and paraffin.html using SIMD-accelerated XOR loops and LZNT1 decompression.

This setup loads subsequent stages, including anti-VM checks for hypervisors, RAM thresholds, and process counts, ensuring execution only on suitable victim machines.

HijackLoader’s modular architecture supports up to 40 components, with the “ti” module handling API resolution via CRC32 hashes, stack spoofing through Heaven’s Gate syscalls, and unhooking of ntdll.dll and wow64cpu.dll to evade EDR tools.

It disables WOW64 redirection, spoofs return addresses using random exports from DLLs like shdocvw.dll, and performs time-based anti-debugging via RDTSC and CPUID differentials.

Payload Deployment

Persistence is achieved through LNK files in startup folders, scheduled tasks via modTask, or BITS transfers, with self-elevation using modUAC exploiting runas or CMSTPLUA.

Injection targets legitimate executables like choice.exe or signed binaries such as XPFix.exe from Qihoo 360, employing process hollowing without CREATE_SUSPENDED flags by piping input to resume threads.

For AV evasion, it detects products like Avast, AVG, and Kaspersky via process hashes, disables Windows Defender exclusions via elevated PowerShell commands, and deploys payloads like LummaC2 stealer.

Final injection involves decrypting payloads with XOR keys, resolving relocations, and executing via modules like rshell or ESAL, often mapping transacted sections with tinystub PE files rolled back post-injection.

This campaign extends beyond gaming sites, infiltrating platforms like TIDAL playlists linking to malicious archives on up-community[.]net and weeklyuploads[.]click, highlighting widespread abuse of cracked software searches on Google.

Active development in modules like ti and rshell underscores HijackLoader’s evolution, previously linked to families including Remcos, Vidar, and Redline Stealer.

Indicators of Compromise (IOCs)

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!