New HijackLoader Evasion Tactics

This report provides a technical analysis of HijackLoader, a sophisticated Windows loader that employs advanced evasion (call-stack spoofing, Heaven's Gate switching to x64 direct syscalls, remapping ntdll/wow64cpu), anti-VM checks, and persistence via scheduled tasks. It enumerates newly observed modules (ANTIVM, MUTEX, CUSTOMINJECT, CUSTOMINJECTPATH, modTask/modTask64, PERSDATA, SM, TinycallProxy/TinycallProxy64), configuration and structure definitions (ANTIVM_STRUCT, PERSDATA_STRUCT, DIRECTSYSCALL_STRUCT), blocklisted processes, and module CRCs and behaviors that serve as actionable indicators and TTP documentation.