More advanced obfuscation techniques have been adopted by a new Hijack Loader malware variant, the SHELBY malware, and the Emmenhtal Loader to facilitate clandestine compromise, according to The Hacker News.

After being spread via code-signing certificates and the ClickFix attack technique, Hijack Loader was discovered by Zscaler ThreatLabs to have been updated to include call stack spoofing for API origin and system call concealment which was previously observed in the CoffeeLoader malware as well as a pair of new modules allowing virtual machine identification and persistence. Another report from Elastic Security Labs detailed the novel SHELBY malware family, which is being deployed via phishing emails with a ZIP archive attachment executing the SHELBYLOADER DLL loader that uses GitHub as a command-and-control server for stealth. On the other hand, Emmenhtal Loader, also known as PEAKLIGHT, was observed by GDATA researchers to have exploited 7-Zip files to stealthily launch the SmokeLoader malware, which also had its concealment improved through the commercial .NET protection tool .NET Reactor.