New SnappyClient Implant Combines Remote Access, Data Theft and Advanced Evasion

A dangerous new malware implant called SnappyClient has quietly emerged as a serious threat to Windows users, combining remote access, data theft, and sophisticated evasion techniques in one compact C++ package.

First spotted in December 2025, this command-and-control (C2) framework implant can log keystrokes, take screenshots, launch a remote terminal, and pull sensitive data from browsers and applications — all while avoiding detection by security tools.

The attack chain begins with a convincingly fake website impersonating Telefónica, the well-known telecommunications company. German-speaking users who visit the page are automatically served a HijackLoader download.

Once the victim runs the file, HijackLoader decrypts and loads SnappyClient directly into memory.

A second delivery method was also observed in early February 2026, where attackers used a ClickFix trick shared via X (formerly Twitter), again dropping SnappyClient through GhostPulse and HijackLoader.

Zscaler ThreatLabz researchers identified SnappyClient in December 2025 while tracking HijackLoader activity across their telemetry. Their analysis revealed that SnappyClient communicates with its C2 server over TCP using a fully custom protocol.

Every message is compressed with the Snappy algorithm and encrypted using ChaCha20-Poly1305, making network traffic significantly harder for defenders to inspect.

SnappyClient targets a wide range of applications for data theft. It goes after ten browsers including Chrome, Firefox, Edge, Opera, and Brave, harvesting saved passwords, session cookies, and full browser profiles.

The malware also hunts for cryptocurrency-related extensions such as MetaMask, Phantom, TronLink, Coinbase Wallet, and TrustWallet. Standalone crypto applications including Exodus, Atomic, Electrum, and Ledger Live are targeted as well.

Network analysis confirmed that cryptocurrency theft is the primary financial goal driving these campaigns.

Beyond stealing data, SnappyClient supports reverse proxies for FTP, VNC, SOCKS5, and RLOGIN, giving attackers multiple pathways inside a victim’s network.

It monitors clipboard content in real time, silently swapping out Ethereum wallet addresses to redirect crypto transactions.

Two dynamic configuration files — EventsDB and SoftwareDB — are pushed by the C2 server to direct the implant on which applications to target and what actions to take, making it flexible without requiring redeployment.

Inside SnappyClient’s Evasion and Persistence

What makes SnappyClient hard to stop is how efficiently it dismantles the security controls meant to catch it. From the moment it starts, the implant hooks Windows’ LoadLibraryExW function and monitors for any attempt to load amsi.dll.

When detected, it patches AmsiScanBuffer and AmsiScanString to always return a clean result, silently disabling Windows’ Antimalware Scan Interface without raising any alerts.

To bypass user-mode API hooks placed by endpoint security products, SnappyClient uses Heaven’s Gate, switching execution between 32-bit and 64-bit modes to issue direct system calls that skip the monitored API layers.

It also maps a clean copy of ntdll.dll into memory, accessing core Windows functions without interference. These patterns closely mirror HijackLoader’s design, pointing to a likely connection between the developers of both tools. 

For persistence, SnappyClient first registers a scheduled task that fires at every user logon. If that fails, it writes an autorun entry under SoftwareMicrosoftWindowsCurrentVersionRun.

The implant copies itself to a configured path and launches from there, terminating the original process.

All sensitive files stored on disk — including the keylogger file, EventsDB, and SoftwareDB — are encrypted with ChaCha20, making forensic recovery considerably harder.

Users and organizations should avoid downloading executable files from unverified websites, even those appearing to represent known brands.

Security teams should monitor for unusual scheduled task creation and suspicious registry run key changes, as early warning signs of SnappyClient’s persistence routine.

Endpoint detection rules should cover Heaven’s Gate execution patterns and transacted hollowing behavior. Keeping browsers updated lowers the risk of App-Bound Encryption bypass. Regularly auditing installed browser extensions — especially those linked to cryptocurrency wallets — is strongly recommended.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.