Date: 03/19/2026
Severity: High
Summary
In December 2025, Labz discovered a new C2 implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based malware that enables remote access and extensive data theft. Its capabilities include keylogging, screenshots, remote terminal access, and stealing data from browsers and applications. It uses advanced evasion techniques like AMSI bypass, Heaven’s Gate, direct system calls, and transacted hollowing. It also relies on encrypted communication (ChaCha20-Poly1305) and configuration files to control actions and targets.
Indicators of Compromise (IOC) List
IP Address : | 151.242.122.227 179.43.167.210 |
IP Address : | 61e103db36ebb57770443d9249b5024ee0ae4c54d17fe10c1d44e87e2fc5ee99
23e2a0c25c95eebe1a593b27ac1b81a73b23ddad7617b3b11c69a89c3d49812e
00019221fb0b61b769d4168664f11c1258e4d61659bd3ffecb126eaf92dbfe2f
6e360fca0b1e3021908f8de271d80620d634600955fefc9fd0af40557cd517d7
64a2609d6707a2ebfe5b40f5227d0f9b85911b752cd04f830d1bbc8aa6bec2c8
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("179.43.167.210","151.242.122.227") or srcipaddress IN ("179.43.167.210","151.242.122.227") |
Detection Query 2 : | sha256hash IN ("6e360fca0b1e3021908f8de271d80620d634600955fefc9fd0af40557cd517d7","64a2609d6707a2ebfe5b40f5227d0f9b85911b752cd04f830d1bbc8aa6bec2c8","00019221fb0b61b769d4168664f11c1258e4d61659bd3ffecb126eaf92dbfe2f","23e2a0c25c95eebe1a593b27ac1b81a73b23ddad7617b3b11c69a89c3d49812e","61e103db36ebb57770443d9249b5024ee0ae4c54d17fe10c1d44e87e2fc5ee99")
|
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-snappyclient