A recent rise in fake CAPTCHA scams has led to a spike in user-triggered infostealer infections resulting in significant cryptocurrency losses among Slovenian victims. The HijackLoader malware abuses steganography to hide its encrypted payload within the PE resource, bypasses user-mode hooks, and executes direct syscalls within its shellcode. It combines NTFS transactions and process hollowing to deliver the final crypto-stealing payload.