C2 Implant 'SnappyClient' Targets Crypto Wallets

CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS C2 Implant 'SnappyClient' Targets Crypto Wallets In addition to enabling remote access, the malware supports a wide range of capabilities, including data theft and spying. Jai Vijayan,Contributing Writer March 18, 2026 3 Min Read SOURCE: KHANTHACHAI C VIA SHUTTERSTOCK Technical analysis of a command-and-control (C2) implant that first surfaced in December 2025 provides fresh insight into how such tools enable threat actors to maintain stealthy, persistent access, exfiltrate data, and remotely control compromised systems. The malware, which researchers at Zscaler ThreatLabz are tracking as "SnappyClient," is a C++-based C2 implant. It supports an extensive set of commands including the ability to take screenshots, log keystrokes, enable remote shell access, and steal data from applications, browsers, and extensions.  An Evasive Threat  Zscaler found the malware employing multiple techniques to evade detection. Among them was one designed to bypass Microsoft's Antimalware Scan Interface (AMSI), and another that enables the malware to execute in 64-bit mode, make direct system calls to the operating system, and write malicious code into legitimate processes. Related:Nation-State Actor Embraces AI Malware Assembly Line Zscaler found the threat actors behind SnappyClient using a previously known modular malware loader dubbed "HijackLoader" to deliver the C2 implant on target systems. Previous research on HijackLoader by Zscaler revealed it to be using multiple modules — something that most loaders typically do not have — to inject and execute code on compromised systems. Threat actors, according to the vendor, have previously used the loader to distribute malware such as RedLine Stealer, Danabot, and SystemBC.  "SnappyClient operates as a C2 framework implant, with remote access and data theft capabilities," Zscaler said in a blog post this week, summarizing its analysis. "The primary use for SnappyClient has been for cryptocurrency theft. Based on observed code similarities, there may be a connection between the developers of HijackLoader and SnappyClient." In one SnappyClient campaign Zscaler observed, the attack began with a very convincing looking website impersonating Spanish telecommunications company Telefonica. When a user landed on the page, it automatically downloaded a HijackLoader executable that, when run, decrypted and deployed SnappyClient on the victim machine. In a separate delivery chain that Zscaler spotted earlier this year, the threat actor behind SnappyClient used a ClickFix social engineering technique to deliver the malware, indicating they are diversifying their distribution methods. Once installed, SnappyClient establishes persistence through either scheduled tasks or by tinkering with the compromised system's Windows registry autorun keys. It then connects to its C2 infrastructure using ChaCha20-Poly1305, a modern algorithm, to encrypt all C2 traffic, making detection challenging. Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL Broad Compatibility From a functionality standpoint, the malware can steal credentials and cookie data from multiple browsers including Chrome, Firefox, Edge, Brave, and Opera. Attackers can use the implant to establish a remote shell on compromised systems for direct command-line access. They can also push configuration updates to the implant and dynamically tell it which apps to target for data theft, suggesting it is more of a tool for long-term operations rather than hit-and-run attacks. C2 implants like SnappyClient can be difficult for organizations to defend against because of how they are designed to evade detection. Unlike ransomware or other malware that generally tend to be disruptive and therefore easy to spot, C2 implants are stealthy by design and pack anti-analysis features that allow it to remain hidden on a compromised network for extended periods. One example is Havoc, an open source C2 framework that Zscaler discovered in 2023 and that, at the time, was capable of evading protections in even the most updated versions of Windows 11 because of how it implemented advanced evasion techniques. Another is Sliver, a sophisticated C2 framework, that Cybereason and other vendors have spotted multiple threat actors using for post-compromise command and control of compromised systems. Related:The Case for Why Better Breach Transparency Matters About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 CYBERATTACKS & DATA BREACHES Security Expert Troy Hunt Lured in by Mailchimp Phish by Kristina Beek, Associate Editor, Dark Reading MAR 26, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE