As announced in a recent blog post, VMRay Platform has received a major upgrade to the dynamic analysis engine in our 2025.2 release. This  visibility and detection for code injection techniques like DLL Hollowing. With this adjustment, our Platform provides  granular monitoring and insights into  processes, injections, and memory regions when abused by malware.
In this blog pos we will have a closer look at this feature, using  as an example as it heavily abuses DLL Hollowing. HijackLoader, also referred to as , is a modular and evasive loader and often used to drop and execute  or remote access trojans (RAT) on the victim’s device (for example Lumma, Rhadamanthys, SectopRAT, AsyncRAT, Amadey, QuasarRAT, Tofsee, Remcos). HijackLoader was targeted by law enforcement during , but still seems to be active to this day.
Background: What is DLL Hollowing?
DLL Hollowing, often also called Module Stomping or Module Overloading, describes a technique where malware loads a legitimate module and overwrites it’s content with malicious code. This can be applied to both the current process or external processes. This allows  malicious code in a seemingly legitimate . In Figure  we can see how a malicious executable a.exe would load a legitimate library module.dll, then   content with malicious . The term Module Stomping is often used when s is injected into the  memory space, whereas the term Module Overloading is often used when PE executables are injected.
Figure 1: DLL Hollowing
. Looking at the dynamic analysis report we observe a complex execution chain with different malware families being dropped, specifically AsyncRAT, DCRat and Remcos.
As  in F 2, HijackLoader loads several legitimate followed by overwriting its entrypoint, which triggers the DLL HollowingÂ
The VMRay PÂ has had support for a variety of process injection techniques before, but with the 2025.2 update some gaps have been closed where injection into system libraries was previously missed.
In Figure 3 we gain some insights from the function log where we can see how the process loads system library pla.dll,  (PAGE_EXECUTE_READWRITE, 0x40) and afterwards back to read and execute (PAGE_EXECUTE_READ, 0x20). This allows the malware to overwrite the text section of the module, which is usually not writeable. Between these two function calls HijackLoader uses loops to write the prepared shellcode to the entrypoint of the module. While the module is loaded at address 0x70210000, it can be seen that the memory protection is changed at address 0x70211000, which seems to be the .text section of the module in memory.
Figure 3:Â VMRay Platform function log excerpt showing the API calls for DLL Hollowing
Detecting  injection into legitimate system  not only allows us to monitor the malware execution and control flow, but also enables us to create memory  scan them using our YARA signatures. In Figure 4 we can see that for our example the  region associated with pla.dll has changed, which triggered the memory to be dumped. YARA scans of these dumps with our Platform-integrated ruleset provide signature matches and identify HijackLoader code.
Figure 4: Memory dumps with their associated YARA matches created by VMRay Platform
Conclusion
Code injection is not a new technique used by malware, but it comes in many different shapes. Monitoring program execution and control flow across processes and memory regions in a sandbox is challenging and requires constant adaption. The 2025.2 VMRay P update focreased visibility and detection  injection techniques is therefore a big step to maintain high quality analysis results for current and future threats.
