A newly identified malware known as SnappyClient has emerged as a significant threat to Windows users, combining remote access, data theft capabilities, and advanced evasion techniques in one compact C++ framework. Discovered in December 2025, this malware can execute keystroke logging, capture screenshots, initiate remote terminals, and extract sensitive information from browsers and applications—all while bypassing detection by security tools.
Initial Detection and Delivery Methods
Initially detected by researchers at Zscaler ThreatLabz, SnappyClient was found to use a fake website impersonating the telecommunications company Telefónica to deploy its attack. German-speaking visitors to the site were automatically served a HijackLoader download. Once executed, HijackLoader decrypts and loads SnappyClient directly into the system’s memory. In early February 2026, a secondary delivery method involving a ClickFix trick was observed, further spreading SnappyClient via GhostPulse and HijackLoader.
SnappyClient communicates with its command-and-control server over TCP using a fully custom protocol. Its network traffic is made difficult to inspect due to compression with the Snappy algorithm and encryption with ChaCha20-Poly1305.
Data Theft and Cryptocurrency Targeting
Targeting a wide range of applications, SnappyClient focuses on stealing data from ten browsers, including Chrome, Firefox, Edge, Opera, and Brave. It extracts saved passwords, session cookies, and full browser profiles. The malware also targets cryptocurrency-related extensions such as MetaMask, Phantom, and Coinbase Wallet, as well as standalone applications like Exodus and Ledger Live. Cryptocurrency theft appears to be the primary financial goal behind these attacks.
Beyond data theft, SnappyClient offers reverse proxy capabilities for FTP, VNC, SOCKS5, and RLOGIN, providing attackers with multiple entry points into a victim’s network. It can manipulate clipboard data in real time, redirecting cryptocurrency transactions by swapping out wallet addresses.
Evasion Techniques and Persistence
SnappyClient is designed to circumvent security measures effectively. It hooks Windows’ LoadLibraryExW function and neutralizes attempts to load amsi.dll by patching AmsiScanBuffer and AmsiScanString, effectively disabling the Windows Antimalware Scan Interface without detection. It also employs Heaven’s Gate to switch between 32-bit and 64-bit execution modes, bypassing user-mode API hooks.
For persistence, SnappyClient registers a scheduled task triggered at user logon and, if unsuccessful, creates an autorun entry in the registry. It copies itself to a specified path and launches from there, making forensic recovery challenging by encrypting its sensitive files with ChaCha20.
To mitigate the risks posed by SnappyClient, users and organizations should avoid downloading executables from unverified sources. Security teams should monitor for unusual task creation and registry changes as indicators of SnappyClient’s presence. Implementing endpoint detection rules for Heaven’s Gate patterns and maintaining updated browsers can reduce vulnerability to App-Bound Encryption bypass attempts.
Stay informed about cybersecurity developments by following us on Google News, LinkedIn, and X for more updates.
