A potent new malware strain, dubbed SnappyClient, has emerged as a significant threat to Windows users, blending remote access, data exfiltration capabilities, and advanced evasion techniques into a single, compact C++ implant. First observed in December 2025, this command-and-control (C2) framework is designed to log keystrokes, capture screenshots, provide remote terminal access, and pilfer sensitive data from web browsers and other applications, all while actively attempting to evade detection by cybersecurity tools.
The attack vector initially identified involved a meticulously crafted phishing website designed to impersonate the telecommunications giant Telefónica. German-speaking users who visited this deceptive site were automatically prompted to download a file, which turned out to be HijackLoader. Once executed, HijackLoader’s primary function is to decrypt and load the SnappyClient implant directly into the system’s memory, bypassing traditional file-based detection methods. A secondary delivery method surfaced in early February 2026, utilizing a “ClickFix” lure shared via the social media platform X (formerly Twitter), which also led to the deployment of SnappyClient through a combination of GhostPulse and HijackLoader.
Researchers at Zscaler ThreatLabz first detected SnappyClient in December 2025 while monitoring HijackLoader activity. Their subsequent analysis revealed that SnappyClient communicates with its C2 server using a fully custom TCP protocol. Crucially, every message exchanged is compressed using the Snappy algorithm and then encrypted with ChaCha20-Poly1305. This dual approach of compression and robust encryption makes inspecting the network traffic significantly more challenging for security defenders, masking the malicious intent.
SnappyClient exhibits a broad appetite for sensitive data, targeting a wide array of applications. It specifically targets ten popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, and Brave. From these browsers, the malware attempts to harvest stored login credentials, active session cookies, and entire browser profiles. Furthermore, SnappyClient actively seeks out and targets cryptocurrency-related browser extensions such as MetaMask, Phantom, TronLink, Coinbase Wallet, and TrustWallet. It also goes after standalone cryptocurrency applications like Exodus, Atomic, Electrum, and Ledger Live, indicating that cryptocurrency theft is a primary financial objective behind these campaigns, according to network analysis.
Beyond its data-stealing capabilities, SnappyClient provides attackers with extensive remote control and network access. It supports reverse proxy functionalities for protocols like FTP, VNC, SOCKS5, and RLOGIN, offering attackers multiple avenues to navigate and control a victim’s network. In a particularly insidious move, the malware continuously monitors the system’s clipboard. This allows it to silently intercept and replace cryptocurrency wallet addresses, redirecting any outgoing transactions to attacker-controlled destinations.
The implant’s flexibility is further enhanced by two dynamic configuration files, denoted as EventsDB and SoftwareDB. These files are delivered by the C2 server and dictate which applications SnappyClient should target and what specific actions it should perform. This dynamic configuration means the malware’s behavior can be altered by the attackers remotely without needing to redeploy the implant itself, significantly increasing its adaptability and longevity.
Inside SnappyClient’s Advanced Evasion and Persistence
A key factor contributing to SnappyClient’s effectiveness is its sophisticated method of circumventing security measures. From its initial execution, the implant hooks the Windows LoadLibraryExW function. This allows it to monitor for any attempts to load the Antimalware Scan Interface (AMSI) dynamic-link library, amsi.dll. Upon detecting such an attempt, SnappyClient proceeds to patch critical functions within amsi.dll, specifically AmsiScanBuffer and AmsiScanString. By forcing these functions to always return a “clean” result, the malware effectively disables the Windows Antimalware Scan Interface without generating any alerts, thereby operating in stealth.
To bypass user-mode API hooks commonly employed by endpoint security products, SnappyClient leverages a technique known as “Heaven’s Gate.” This involves switching its execution context between 32-bit and 64-bit modes. By doing so, it can issue direct system calls. These direct calls bypass the layers of monitored APIs that security software typically inspects, making it much harder for these tools to detect malicious activity. Additionally, SnappyClient maps a clean copy of the ntdll.dll library into its memory. This allows it to access core Windows functions directly and without interference from security hooks or other injected code. These technical patterns bear a strong resemblance to the functionalities observed in HijackLoader, suggesting a potential organizational or developmental link between the creators of both malware families.
For establishing persistence on an infected system, SnappyClient employs a multi-pronged approach. It first attempts to register a scheduled task that is configured to run every time a user logs into the system. If this method is unsuccessful, it resorts to creating an autorun entry within the Windows Registry, specifically under the SoftwareMicrosoftWindowsCurrentVersionRun key. Following this, the malware copies itself to a predefined location on the file system and configures itself to launch from this new location. It then terminates the original running process. All sensitive data files that the implant stores on disk, including its keylogger logs and the configuration files (EventsDB and SoftwareDB), are encrypted using the ChaCha20 cipher. This encryption further complicates forensic analysis and recovery efforts for investigators.
Given the sophisticated nature of SnappyClient, users and organizations are advised to exercise extreme caution when downloading executable files from unverified sources, even if those sources appear to represent legitimate or well-known brands. Security teams should implement enhanced monitoring for unusual scheduled task creations and suspicious modifications to registry run key entries, as these can serve as early indicators of SnappyClient’s persistence mechanisms. Endpoint detection strategies should be updated to specifically detect patterns associated with Heaven’s Gate execution and transacted hollowing behavior. Maintaining up-to-date browser software is also crucial, as it can help mitigate risks related to certain types of application-bound encryption bypasses. Regularly auditing installed browser extensions, particularly those with access to cryptocurrency wallets, is a recommended practice to reduce exposure.