Technical analysis of a command-and-control (C2) implant that first surfaced in December 2025 provides fresh insight into how such tools enable threat actors to maintain stealthy, persistent access, exfiltrate data, and remotely control compromised systems.
The malware, which researchers at Zscaler ThreatLabz are tracking as “SnappyClient,” is a C++-based C2 implant. It supports an extensive set of commands including the ability to take screenshots, log keystrokes, enable remote shell access, and steal data from applications, browsers, and extensions.
An Evasive Threat
Zscaler found the malware employing multiple techniques to evade detection. Among them was one designed to bypass Microsoft’s Antimalware Scan Interface (AMSI), and another that enables the malware to execute in 64-bit mode, make direct system calls to the operating system, and write malicious code into legitimate processes.
Zscaler found the threat actors behind SnappyClient using a previously known modular malware loader dubbed “HijackLoader” to deliver the C2 implant on target systems. Previous research on HijackLoader by Zscaler revealed it to be using multiple modules — something that most loaders typically do not have — to inject and execute code on compromised systems. Threat actors, according to the vendor, have previously used the loader to distribute malware such as RedLine Stealer, Danabot, and SystemBC.
“SnappyClient operates as a C2 framework implant, with remote access and data theft capabilities,” Zscaler said in a blog post this week, summarizing its analysis. “The primary use for SnappyClient has been for cryptocurrency theft. Based on observed code similarities, there may be a connection between the developers of HijackLoader and SnappyClient.”
In one SnappyClient campaign Zscaler observed, the attack began with a very convincing looking website impersonating Spanish telecommunications company Telefonica. When a user landed on the page, it automatically downloaded a HijackLoader executable that, when run, decrypted and deployed SnappyClient on the victim machine. In a separate delivery chain that Zscaler spotted earlier this year, the threat actor behind SnappyClient used a ClickFix social engineering technique to deliver the malware, indicating they are diversifying their distribution methods.
Once installed, SnappyClient establishes persistence through either scheduled tasks or by tinkering with the compromised system’s Windows registry autorun keys. It then connects to its C2 infrastructure using ChaCha20-Poly1305, a modern algorithm, to encrypt all C2 traffic, making detection challenging.
Broad Compatibility
From a functionality standpoint, the malware can steal credentials and cookie data from multiple browsers including Chrome, Firefox, Edge, Brave, and Opera. Attackers can use the implant to establish a remote shell on compromised systems for direct command-line access. They can also push configuration updates to the implant and dynamically tell it which apps to target for data theft, suggesting it is more of a tool for long-term operations rather than hit-and-run attacks.
C2 implants like SnappyClient can be difficult for organizations to defend against because of how they are designed to evade detection. Unlike ransomware or other malware that generally tend to be disruptive and therefore easy to spot, C2 implants are stealthy by design and pack anti-analysis features that allow it to remain hidden on a compromised network for extended periods. One example is Havoc, an open source C2 framework that Zscaler discovered in 2023 and that, at the time, was capable of evading protections in even the most updated versions of Windows 11 because of how it implemented advanced evasion techniques. Another is Sliver, a sophisticated C2 framework, that Cybereason and other vendors have spotted multiple threat actors using for post-compromise command and control of compromised systems.
