In April 2025, cybersecurity researchers uncovered two advanced threats that highlight the grow ing sophistication of adversaries: an upgraded Hijack Loader variant and a newly discovered malware family named SHELBY (REF8685). Both demonstrate enhanced capabilities in evading detection, maintaining persistence, and misusing legitimate platforms.

The Hijack Loader—also known as DOILoader, SHADOWLADDER, and GHOSTPULSE—has evolved to include call stack spoofing, direct system calls via Heaven’s Gate, and virtualisation-aware execution. These enhancements improve its ability to bypass sandboxes and endpoint protections while serving as a stealthy delivery mechanism for second-stage payloads such as Cobalt Strike.

Meanwhile, SHELBY exploits GitHub for Command-and-Control (C2) communications—a tactic designed to blend into legitimate network traffic. It uses a multi-stage chain with DLL side-loading and sandbox evasion to complicate detection and analysis.

These threats reinforce the need for organisations to strengthen their detection strategies against stealthy loaders, abuse of legitimate services, and evasive malware behaviours.