As announced in a recent blog post, VMRay Platform has received a major upgrade to the dynamic analysis engine in our 2025.2 release. This visibility and detection for code injection techniques like DLL Hollowing. With this adjustment, our Platform provides granular monitoring and insights into processes, injections, and memory regions when abused by malware.
In this blog pos we will have a closer look at this feature, using as an example as it heavily abuses DLL Hollowing. HijackLoader, also referred to as , is a modular and evasive loader and often used to drop and execute or remote access trojans (RAT) on the victim’s device (for example Lumma, Rhadamanthys, SectopRAT, AsyncRAT, Amadey, QuasarRAT, Tofsee, Remcos). HijackLoader was targeted by law enforcement during , but still seems to be active to this day.
Background: What is DLL Hollowing?
DLL Hollowing, often also called Module Stomping or Module Overloading, describes a technique where malware loads a legitimate module and overwrites it’s content with malicious code. This can be applied to both the current process or external processes. This allows malicious code in a seemingly legitimate . In Figure we can see how a malicious executable a.exe would load a legitimate library module.dll, then content with malicious . The term Module Stomping is often used when s is injected into the memory space, whereas the term Module Overloading is often used when PE executables are injected.
Figure 1: DLL Hollowing
. Looking at the dynamic analysis report we observe a complex execution chain with different malware families being dropped, specifically AsyncRAT, DCRat and Remcos.
As in F 2, HijackLoader loads several legitimate followed by overwriting its entrypoint, which triggers the DLL Hollowing
The VMRay P has had support for a variety of process injection techniques before, but with the 2025.2 update some gaps have been closed where injection into system libraries was previously missed.
In Figure 3 we gain some insights from the function log where we can see how the process loads system library pla.dll, (PAGE_EXECUTE_READWRITE, 0x40) and afterwards back to read and execute (PAGE_EXECUTE_READ, 0x20). This allows the malware to overwrite the text section of the module, which is usually not writeable. Between these two function calls HijackLoader uses loops to write the prepared shellcode to the entrypoint of the module. While the module is loaded at address 0x70210000, it can be seen that the memory protection is changed at address 0x70211000, which seems to be the .text section of the module in memory.
Figure 3: VMRay Platform function log excerpt showing the API calls for DLL Hollowing
Detecting injection into legitimate system not only allows us to monitor the malware execution and control flow, but also enables us to create memory scan them using our YARA signatures. In Figure 4 we can see that for our example the region associated with pla.dll has changed, which triggered the memory to be dumped. YARA scans of these dumps with our Platform-integrated ruleset provide signature matches and identify HijackLoader code.
Figure 4: Memory dumps with their associated YARA matches created by VMRay Platform
Conclusion
Code injection is not a new technique used by malware, but it comes in many different shapes. Monitoring program execution and control flow across processes and memory regions in a sandbox is challenging and requires constant adaption. The 2025.2 VMRay P update focreased visibility and detection injection techniques is therefore a big step to maintain high quality analysis results for current and future threats.
