Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions

Wednesday 14 October 11:55 - 12:25, Green room 

Muhammed Irfan V A, Avinash Kumar & Nirmal Singh (Zscaler)

SnappyClient is an emerging command-and-control (C2) framework implant that has been distributed exclusively through HijackLoader. SnappyClient stands out due to its capability of a full-featured remote access toolset that includes screen capture, keylogging, interactive terminal, and data theft while rapidly iterating through frequent version updates. In this talk, we introduce SnappyClient while explaining how its sophisticated, operator-customizable platform enables highly customized attacks driven by specific triggers. It can continuously monitor for defined conditions and automatically execute tailored actions when those conditions are met.

We will walk through SnappyClient's architecture, focusing on its embedded configurations and moving to the C2-delivered encrypted databases (EventsDB and SoftwareDB) that drive conditional workflows and targeted data theft. Attendees will learn how SnappyClient's operators remotely push event-driven behaviours (e.g. clipboard/window-title triggers) and dynamically specify what data gets collected without redeploying the implant. We will also unpack  SnappyClient's layered crypto scheme used to protect its network configuration, along with its custom network communication protocol that compresses and encrypts JSON messages using Snappy and ChaCha20-Poly1305. Beyond internals, this research maps initial infection vectors used to deliver SnappyClient, focusing on the different lures and themes used, and the malware's C2 panel to highlight attacker-side UI features. This study will further cover key changes introduced after version 0.1.11, including updates to how the pairs configuration is parsed, and what those changes reveal about developers' intent.

Finally, we decrypt SnappyClient's post-compromise network activity to identify their motivations and objectives for the campaigns. We then look into SnappyClient's evasion techniques including AMSI bypass and process injection techniques that leverage Heaven's Gate, Direct Syscall and transacted hollowing to bypass protections such as Chromium App-Bound Encryption. This study also examines the operators behind the development of SnappyClient.

 

Muhammed-Irfan-VA.jpg

Muhammed Irfan V A

Muhammed Irfan V A works in Zscaler ThreatLabZ as a senior threat researcher. Irfan has worked in the malware research field for the past six years. He previously worked at LTIMindtree as a malware analyst. His work areas include tracking new campaigns and malware families and providing detection for them. Irfan holds a Bachelor's degree in cyber forensics from Mahathma Gandhi Uninverity.

 

 
Avinash-Kumar.jpg

Avinash Kumar

Avinash Kumar works at Zscaler ThreatLabZ as a senior manager – MalwareLabz – security researcher. He has worked in the threat research field for more than 15 years. He previously worked at Norman and Genpact as a senior malware analyst. His research areas include different malware categories with advance malware botnet and analysing the various campaigns on daily basis. Avinash holds a Master's degree in computer application from Punjab Technical University. Apart from malware research, he loves to play cricket and table tennis.

 
Nirmal-Singh.jpg

Nirmal Singh

Nirmal Singh is Senior Director for the security research team at Zscaler ThreatLabZ located at Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 17 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers

Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set

VB2026 presentation: Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set, Maher Yamout and Fatih Şensoy

From hotel account compromise to guest payment fraud: the reservation hijack attack chain

VB2026 presentation: From hotel account compromise to guest payment fraud: the reservation hijack attack chain, Martin Chlumecký and Luis Corrons

Hunting LANDFALL: from overlooked images to state-linked mobile spyware

VB2026 presentation: Hunting LANDFALL: from overlooked images to state-linked mobile spyware, Itay Cohen

Gorbag: Orcs at the border

VB2026 presentation: Gorbag: Orcs at the border, Damien Schaeffer

Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler

VB2026 presentation: Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler, Georgy Kucherin

Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks

VB2026 presentation: Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks, Madeline Sedgwick

Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide

VB2026 presentation: Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide, Alex Turing

Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network

VB2026 presentation: Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network, Salim Bitam and Jia Yu Chan

Leveraging Landlock telemetry for Linux detection engineering

VB2026 presentation: Leveraging Landlock telemetry for Linux detection engineering, Guillaume Couchard and Erwan Chevalier

Targeting the elderly: from spoofing to persistence

VB2026 presentation: Targeting the elderly: from spoofing to persistence, Axelle Apvrille

The invisible warzone: competing botnets fighting over your smart TV

VB2026 presentation: The invisible warzone: competing botnets fighting over your smart TV, Asher Davila, Chris Navarrete & Doel Santos

Mac&Cheese: cooking up the Digit Stealer recipe

VB2026 presentation: Mac&Cheese: cooking up the Digit Stealer recipe, Kseniia Yamburh & Joan Garcia

How real-world malware disables EDR systems

VB2026 presentation: How real-world malware disables EDR systems, Holger Unterbrink

Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines

VB2026 presentation: Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines, Darrel Virtusio & Subhajeet Singha

Polling is the vulnerability: a case for event-driven cloud detection

VB2026 paper: Polling is the vulnerability: a case for event-driven cloud detection, Santiago Abastante

The edge is the enemy: hunting Chinese router relay networks

VB2025 presentation: The edge is the enemy: hunting Chinese router relay networks, Ryan Sherstobitoff

Unravelling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit

VB2026 presentation: Unraveling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit, Yuki Umemura

AI in malware: evolution and predicting the future of AI-driven attacks

VB2026 presentation: AI in malware: evolution and predicting the future of AI-driven attacks, Eli Smadja

The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem

VB2026 presentation: The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem, Anastasia Tikhonova

Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints?

VB2026 presentation: Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints? Chanbin Jeon, SeungBeom Lim & SuhMahn Hur

How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain

VB2026 presentation: How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain, Jose Enrique Hernandez & Nasreddine Bencherchali

Agent detection and response: safety on a token budget

VB2026 presentation: Agent detection and response: safety on a token budget, Václav Belák, Jakub Křoustek & Tomáš Ďuriš

Malwaremorphosis - breaking down a global multi-layer malvertising operation

VB2026 presentation: Malwaremorphosis - breaking down a global multi-layer malvertising operation, Ionuț Baltariu

I will find you and I will flag you: hunting malicious packages at scale

VB2026 presentation: I will find you and I will flag you: hunting malicious packages at scale, Christophe Tafani-Dereeper

Otter encyclopaedia: deep analysis of Otter family

VB2026 presentation: Otter encyclopaedia: deep analysis of Otter family, Rintaro Koike, Yuta Sawabe & Masaya Motoda

Break the silence: tracking Silent Lynx through exposed infrastructure

VB2026 presentation: Break the silence: tracking Silent Lynx through exposed infrastructure, Julian Ferdinand Vögele & Chi-en (Ashley) Shen

Operation FalseProof: PoC that bites back

VB2026 presentation: Operation FalseProof: PoC that bites back, Jiho Kim & Minyeop Choi

Transparency wars: exposing hidden biases in testing

VB2026 presentation: Transparency wars: exposing hidden biases in testing, Righard Zwienenberg & Luis Corrons

Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions

VB2026 presentation: Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions, Muhammed Irfan V A, Avinash Kumar & Nirmal Singh

Reverse engineering a multi-stage implant targeted Vietnamese organizations

VB2026 presentation: Reverse engineering a multi-stage implant targeted Vietnamese organizations, Minh Anh Luong

When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader

VB2026 presentation: When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader, Marvin Castillo & Arvin Jay Bandong

Free games, costly consequences: unravelling PiviGames’ hidden treasure malware

VB2026 presentation: Free games, costly consequences: unravelling PiviGames’ hidden treasure malware, John Rey Dador

Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence

VB2026 presentation: Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence, Subhajeet Singha

Practical ransomware detection on macOS (via math, not AI)

VB2026 presentation: Practical ransomware detection on macOS (via math, not AI), Patrick Wardle

From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure

VB2026 presentation: From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure, Kerstin Zettl-Schabath & Kritika Roy

The other side of the front: hunting Paper Werewolf's operations against Russia

VB2026 presentation: The other side of the front: hunting Paper Werewolf's operations against Russia, Nicole Fishbein

Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files

VB2026 presentation: Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files, Raviv Rachmiel

Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime

VB2026 presentation: Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime, Selena Larson & Daniel Blackford

Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal

VB2026 presentation: Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal, Natasha Márquez & Ghyorka Kpee

When wipers leave backups: an analysis of ArgonWiper’s encryption workflow

VB2026 presentation: When wipers leave backups: an analysis of ArgonWiper’s encryption workflow, Hyuna Lee & Hyoje Jo

Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration

VB2026 presentation: Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration, Sara Eberle & DeLynn Bettencourt Hammell

From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling

VB2026 presentation: From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling, Alexander Adamov & Anders Carlsson

The silent threat in your enterprise: SAP security

VB2026 presentation: The silent threat in your enterprise: SAP security, Anita Cwynar

BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures

VB2026 presentation: BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures, Bramwell Brizendine, Alexander Wood, Jared Sheldon & William Lochte

Spec-driven malware: turning markdown into threats

VB2026 presentation: Spec-driven malware: turning markdown into threats, Sven Rath

The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN

VB2026 presentation: The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN, Asli Koksal

DPRK-aligned threat operations: tradecraft, tooling, and detection patterns

VB2026 presentation: DPRK-aligned threat operations: tradecraft, tooling, and detection patterns, Wonkyeom Kim

Workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

VB2026 workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

TIPS: The next chapter

VB2026 TIPS presentation: The next chapter, Jiri Sejtko

TIPS: Collaboration in action: turning shared threat intelligence into coordinated defence

VB2026 TIPS presentation: Collaboration in action: turning shared threat intelligence into coordinated defence, Tuna Dabak

TIPS: From signal to shield: rapid collaboration to defend critical infrastructure during crisis

VB2026 TIPS presentation: From signal to shield: rapid collaboration to defend critical infrastructure during crisis, Madeline Sedgwick

TIPS: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts?

VB2026 TIPS presentation: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts? Takahiro Kakumaru

TIPS: Stairway to resilience: cybersecurity in good times, bad times, and everything between

VB2026 TIPS presentation: Stairway to resilience: cybersecurity in good times, bad times, and everything between Selena Larson, Jeannette Jarvis, Kathi Whitbey, Jeanette Miller Osborne

TIPS: Defending (against) the human layer: IoB in the real world

VB2026 TIPS presentation: Defending (against) the human layer: IoB in the real world Righard Zwienenberg, Kathi Whitbey, Samir Mody & Mienke

TIPS: STIX in action: proposed industry collaboration on sharing DigSig metadata

VB2026 TIPS presentation: STIX in action: proposed industry collaboration on sharing DigSig metadata, Samir Mody

TIPS: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover 

VB2026 TIPS presentation: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover, Michal Salat

TIPS: The art of fighting back

VB2026 TIPS presentation: The art of fighting back, Gabor Szappanos

TIPS: Wartime intelligence collection and collaboration

VB2026 TIPS presentation: Wartime intelligence collection and collaboration, Sergey Shykevich

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.