03-29, 12:40–13:10 (Europe/Ljubljana), P1
A recent rise in fake CAPTCHA scams has led to a spike in user-triggered infostealer infections resulting in significant cryptocurrency losses among Slovenian victims. The HijackLoader malware abuses steganography to hide its encrypted payload within the PE resource, bypasses user-mode hooks, and executes direct syscalls within its shellcode. It combines NTFS transactions and process hollowing to deliver the final crypto-stealing payload.
Malware Reverse Engineer, Incident Responder. Cyber Security Specialist @ SI-CERT