C2 Implant ‘SnappyClient’ Targets Crypto Wallets
Summary
Technical analysis by Zscaler ThreatLabz reveals a C++ command-and-control implant dubbed “SnappyClient” that surfaced in December 2025. The implant provides persistent, stealthy remote access and a broad suite of data-theft capabilities — screenshots, keylogging, remote shells and targeted extraction of application, browser and extension data.
The actors delivering SnappyClient have used a modular loader known as HijackLoader and diverse social-engineering lures (including a fake Telefónica site and ClickFix techniques). The implant evades detection via AMSI bypasses, 64-bit direct system calls, in-process code injection and encrypted C2 traffic using ChaCha20-Poly1305. Its primary observed use case: cryptocurrency theft, with support for stealing credentials and cookies across Chrome, Firefox, Edge, Brave and Opera.
Key Points
- SnappyClient is a C++ C2 implant offering remote shell, screenshots, keystroke logging and targeted data exfiltration.
- Delivered via the modular loader HijackLoader and social-engineering pages (e.g., faux Telefónica site) and ClickFix-style lures.
- Uses multiple evasion techniques: AMSI bypass, 64-bit direct syscalls, in-process code injection and legitimate-process stealthing.
- Encrypts C2 communications with ChaCha20-Poly1305, complicating network detection.
- Targets browser credentials and cookies across major browsers to enable cryptocurrency theft.
- Establishes persistence through scheduled tasks or Windows registry autoruns and accepts remote config updates for long-term operations.
- Modular design and dynamic targeting make it suited to prolonged, stealthy campaigns rather than quick strikes.
- Possible developer linkage between HijackLoader and SnappyClient based on code similarities seen by researchers.
Context and Relevance
C2 implants like SnappyClient represent the quiet, persistent end of the threat spectrum — designed to remain under the radar while siphoning sensitive data. With the rise in value and use of cryptocurrency, attackers are increasingly focused on browser- and extension-level theft to seize wallet access and session credentials. The combination of modular loaders, advanced evasion techniques and encrypted C2 channels continues a trend of sophisticated, long-running campaigns that bypass traditional signature-based defences.
Why should I read this?
Short version: if you care about crypto — or run endpoints people use for crypto — this is a real headache. SnappyClient is stealthy, sneaky and built to stick around and pillage wallets. Read this so you know what to look for and don’t get caught out.
Author (tone: punchy)
Must-read if you manage endpoints, threat detection or protect users who handle crypto. This isn’t noisy ransomware; it’s surgical theft. The details matter — the delivery chains, the AMSI bypass and the encrypted C2 tell you this actor intends to stay inside your estate and pick off credentials over time. Skimming won’t cut it: dig into detection, telemetry and response playbooks.
Recommended immediate actions
- Hunt for suspicious scheduled tasks and unexpected registry autoruns.
- Monitor for unusual outbound traffic, especially encrypted channels to unfamiliar hosts.
- Check browser extension inventories and key material handling on endpoints; enforce least privilege for extensions.
- Ensure AMSI and endpoint protection telemetry are up-to-date and supplement with behavioural detections for in-process injection and direct syscall patterns.