Technical analysis of a command-and-control (C2) implant known as SnappyClient provides security teams with concrete data on how malicious actors maintain stealthy access and exfiltrate data from compromised environments. First observed in December 2025 by researchers at Zscaler ThreatLabz, the C++-based tool includes capabilities for screen capture, keystroke logging, remote shell access, and credential theft from browsers and applications.
Malicious actors have primarily distributed SnappyClient using HijackLoader, a modular malware loader previously associated with families like RedLine Stealer, Danabot, and SystemBC. In one observed delivery sequence, unauthorized parties used a counterfeit website impersonating the Spanish telecommunications company Telefónica, specifically targeting German-speaking users. When a user downloaded the initial file, HijackLoader executed, decrypted, and deployed the SnappyClient component. Zscaler researchers also identified alternative distribution methods using ClickFix social engineering techniques, indicating that the operators are diversifying their delivery mechanisms.
To evade detection, SnappyClient employs several advanced techniques. It attempts to bypass Microsoft's Antimalware Scan Interface (AMSI) by placing a trampoline hook on the LoadLibraryExW function. If the process attempts to load amsi.dll, SnappyClient hooks AmsiScanBuffer and AmsiScanString to consistently return a clean result (AMSI_RESULT_CLEAN). Additionally, the implant operates in 64-bit mode, makes direct system calls to the operating system, and injects code into legitimate processes to obscure its presence.
Once active on an affected system, SnappyClient establishes persistence using scheduled tasks tied to user logon or by modifying Windows registry autorun keys. It then connects to its C2 infrastructure using the ChaCha20-Poly1305 algorithm. This modern AEAD (Authenticated Encryption with Associated Data) algorithm is highly efficient in software environments and avoids the hardware dependencies of AES, making the encrypted network traffic difficult for defenders to analyze without the specific session keys.
From a functionality standpoint, SnappyClient configurations indicate an emphasis on long-term data collection rather than immediate system disruption. The implant extracts credentials, cookies, and App-Bound Encryption keys from browsers including Chrome, Firefox, Edge, Brave, and Opera. It also utilizes an encrypted "EventsDB" configuration file to monitor the system clipboard. By matching clipboard content against regular expressions, the implant can dynamically replace or exfiltrate copied data—a technique frequently used for cryptocurrency theft. Operators can also establish a remote shell for direct command-line access and push configuration updates to specify new target applications.
C2 implants like SnappyClient, Havoc, and Sliver are engineered to operate quietly over extended periods. Because they prioritize evasion and anti-analysis features over disruptive actions, organizations are best served by layering their defenses. Security teams can counter these tools by implementing advanced behavioral monitoring, regular memory scanning for injected processes, and strict egress traffic controls to detect unauthorized communication before significant data exposure occurs.