THE C2 implant SnappyClient first surfaced in December 2025 and is a C++-based tool tracked by Zscaler ThreatLabz that targets crypto wallets. It supports a wide range of commands, including taking screenshots, logging keystrokes, enabling a remote shell, and stealing data from applications, browsers, and extensions. Zscaler notes that SnappyClient operates as a C2 framework with remote access and data theft capabilities, with cryptocurrency theft as its primary use based on observed code.
The malware evades detection through techniques such as bypassing AMSI, running in 64‑bit mode, making direct system calls, and injecting code into legitimate processes. Persistence is achieved via scheduled tasks or by modifying Windows registry autorun keys, and it connects to its C2 infrastructure using ChaCha20-Poly1305 to encrypt traffic.
In campaigns observed by Zscaler, SnappyClient was delivered via HijackLoader and via ClickFix social engineering, with impersonation of Telefonica and other distribution methods noted.