What if one of the biggest security threats to your network was built in the 1990s?
In 2025, many of the most dangerous cyberattacks don’t use new viruses. A recent report found that a high percentage of stealthy attacks on US companies abuse old, trusted parts of the Windows operating system.
One of the most powerful of these “living-off-the-land” techniques is COM Hijacking.
This guide breaks down what COM hijacking is, how it works, and why it’s still a major threat. We’ll show you what your security team needs to know to defend against this classic, yet highly effective, attack.
Table of Contents
Defining COM Hijacking:
A sophisticated attack called COM hijacking is a favorite tool for hackers. They use it to stay hidden on a compromised computer and gain more control. Let’s break down what it is and why it’s still a major threat in 2025.
What is COM Hijacking?
Think of your computer’s operating system like a city with a lot of street signs that tell programs where to go. COM hijacking is like an attacker changing one of those signs. When a normal program tries to follow the sign to do its job, it’s secretly redirected to run the attacker’s malicious code instead.
Attackers use this technique for two main reasons:
- Persistence: This is how an attacker stays on a system, even if the computer is restarted. It gives them a permanent backdoor so they can come and go as they please.
- Privilege Escalation: This means getting more power on the system. An attacker might get in with low-level user access, but COM hijacking can help them get full administrator rights.
A huge advantage of this attack is its ability to bypass the User Account Control (UAC) prompt. That’s the pop-up window that asks for your permission before a program can make changes. With COM hijacking, an attacker can get admin rights without ever triggering that alert, making the attack very difficult for a normal user to notice.
Why COM Hijacking is Still a Major Threat
Even with all the new technology in 2025, this classic technique remains very effective. Malware like the Darkme RAT and other Remote Access Trojans (RATs) still use COM hijacking to stay hidden on infected systems.
The modern threat landscape makes this attack even more dangerous.
- AI-Powered Attacks: Hackers are now using Artificial Intelligence (AI), like deepfake technology, to make their initial attacks more convincing. This helps them get the first foothold on a system. AI also makes attacks faster, with some attackers stealing data within the first hour of a breach.
- Attacking the Defenders: Ransomware groups have started attacking security software directly. They’ve found ways to abuse a feature called Windows Defender Application Control (WDAC) to shut down antivirus and Endpoint Detection and Response (EDR) products. When the security software is turned off, it’s much easier for other techniques, like COM hijacking, to work without being detected.
The impact of these advanced threats is huge. The global average cost of a single data breach reached a record $4.88 million in 2024.
The continued success of COM hijacking shows a basic challenge in cybersecurity. Attackers can exploit old, often overlooked features of an operating system, while defenders have to try to protect everything.
2. Understanding Component Object Model (COM) Fundamentals and Vulnerabilities
To defend against COM hijacking, you first need to understand how it works. This attack takes advantage of a core part of the Windows operating system called the Component Object Model (COM). Let’s break down the basics and see how attackers exploit it.
The Basics of COM: Objects and CLSIDs
The Component Object Model (COM) is a system that lets different pieces of software communicate with each other. Think of it as a set of standard rules for how software components can talk and work together.
Every COM component has a unique ID number, like a social security number for a piece of code. This is called a Class ID (CLSID).
When a program needs to use a COM component, it looks up the CLSID in the Windows Registry. The registry is like a giant address book for your computer. It tells Windows where to find the right file (usually a DLL or EXE) that contains the code for that COM component.
The Key Vulnerability
Here’s where the problem lies. When Windows looks for a CLSID in the registry, it checks the current user’s section (HKEY_CURRENT_USER) before it checks the main system’s section (HKEY_LOCAL_MACHINE).
A standard user can’t make changes to the main system’s registry, but they can change their own user section. An attacker can use this to their advantage. They can create a fake entry for a legitimate CLSID in the user’s registry that points to their own malicious code. When a normal program tries to use that component, Windows finds the attacker’s fake entry first and runs the malware instead of the real program.
Common Hijacking Techniques and Targets
Attackers use a few key techniques to hijack COM objects. They mainly change specific “keys” in the registry to redirect programs to their malware. The most common keys they target are InProcServer32 and TreatAs.
This method is used by many different types of malware:
- Trojans like Berbew and Padodor.
- Remote Access Trojans (RATs) like Darkme RAT, which use this technique to load their final payload.
- Adware like Citrio, which uses it to stay on a system, often hiding its malicious files as fake “updates.”
- Advanced hacker groups like APT28, who use it to maintain long-term access to a network.
To avoid being detected, attackers often hide their malicious files in legitimate-looking Windows folders, like C:\Windows\SysWow64.
Gaining Power and Staying Hidden
COM hijacking helps attackers achieve their two main goals: getting more power and staying on a system permanently.
Privilege Escalation (Getting More Power)
One of the biggest advantages of this attack is that it can bypass the User Account Control (UAC) prompt. By hijacking a trusted program that already has administrator rights, the attacker’s malware can run with those same high-level permissions. This happens without the user ever seeing a warning pop-up, making the attack very stealthy.
Persistence (Staying Hidden)
By targeting a COM object that runs automatically every time the computer starts or a user logs in, an attacker can make sure their malware runs every time, too. This gives them a permanent backdoor into the system that survives reboots and can be hard for antivirus software to find.
There are also advanced techniques that use COM to move between computers on a network without ever dropping a file on the target machine. This “fileless” method is extremely stealthy and shows how attackers can use the built-in features of Windows against itself.
3. Detection and Forensic Analysis of COM Hijacking
Detecting and analyzing a stealthy attack like COM hijacking is a tough job. It requires a mix of active monitoring, deep forensic analysis, and staying up-to-date on the latest hacker tactics.
Proactive Monitoring and Checking Logs
The best way to catch COM hijacking is to watch for unusual changes on your systems, especially in the Windows Registry and in your event logs.
- Watch the Registry: Changes to key parts of the Windows Registry are rare during normal operations, so any modification is highly suspicious. The main areas to watch are the CLSID folders inside HKEY_CURRENT_USER\Software\Classes\ and HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.
- Check Event Logs: Your system logs can provide critical clues. Specific event IDs can flag suspicious activity. For example, PowerShell Event ID 4104 can show you if someone used a script to modify a COM registry entry. Tools like Sysmon can also detect when a new, unknown program starts running or when a legitimate program loads a strange DLL file.
Tools like SIEM and XDR are very important for this. They collect security data from all over your network and put it in one place, making it easier for security teams to spot suspicious patterns and respond to threats quickly.
Finding Clues with Forensics and Memory Analysis
After an attack, security professionals use forensics to find evidence of what happened. This is especially important for COM hijacking, as the malware often hides by using legitimate system programs.
Key clues, or “forensic artifacts,” to look for include:
- Unusual DLL files being loaded from unexpected locations.
- Any changes to registry keys that point to new programs.
- Strange process activity, like rundll32.exe being used to load a COM object.
Memory forensics is also a critical part of the investigation. This involves analyzing the data in a computer’s RAM (its short-term memory). Some malware is “fileless,” meaning it runs only in memory and never saves a file to the hard drive. Memory forensics is the only way to find this kind of malware.
Tools like the Volatility Framework are used to dig through a “memory dump” (a snapshot of the RAM) to find hidden malicious programs, network connections, or code that has been injected into a legitimate process.
Using Threat Intelligence and Spotting Unusual Behavior
You can’t just rely on looking for known malware. You also have to look for suspicious behavior and understand what hackers are doing today.
Indicators of Compromise (IoCs) are clues that suggest a system has been hacked. Some common IoCs to watch for include:
- Strange network traffic leaving your network.
- A large number of failed login attempts.
- Unexpected software updates.
- Suspicious changes to the registry.
- Web traffic that doesn’t look like it was generated by a human.
It’s also crucial to stay current with the latest Tactics, Techniques, and Procedures (TTPs) used by hacker groups. In 2025, advanced groups are increasingly using social engineering and exploiting brand-new (“zero-day”) vulnerabilities. Ransomware attacks are also shifting from just encrypting data to stealing it for extortion. Knowing what to look for is a key part of a strong defense.
4. Mitigation and Prevention Strategies
Stopping a stealthy attack like COM hijacking requires a defense that has multiple layers. There is no single magic bullet, but combining strong system security, safe development practices, and smart threat monitoring can greatly reduce your risk.
Harden Your Systems and Manage Configurations
The first and most important step is to make your computer systems tougher to break into. This is called system hardening. The main goal is to stop unauthorized changes to critical parts of the system, especially the Windows Registry.
Here are some key strategies:
- Restrict Registry Permissions: You can lock down important parts of the Windows Registry so that only administrators can make changes. This helps prevent attackers from modifying system settings.
- Use Group Policy (GPO): In a business environment, you can use Group Policy to enforce security rules across all computers on your network. You can use it to block user access to system tools like the Command Prompt or prevent them from installing unauthorized software.
- Use Windows Defender Application Control (WDAC): This is a powerful Windows security feature that creates a list of trusted, approved applications. If an app isn’t on the list, it won’t run. WDAC is a great way to stop malware and can also prevent other attacks like DLL hijacking. It’s much stronger than older tools like AppLocker because not even an administrator can easily tamper with it.
- Enable Advanced Security Features: Features like Secure Boot and Hypervisor-Protected Code Integrity (HVCI) work with WDAC to make your system even more secure.
- Patch Regularly: This is one of the most important rules in cybersecurity. Always keep your software and operating systems up to date with the latest security patches.
Use Secure Development and Application Control
Security isn’t just about locking down the operating system. It’s also about building secure software and controlling which applications are allowed to run on your network.
- Practice Secure Coding: Developers should write code in a way that avoids common security vulnerabilities from the start.
- Use Application Control: As mentioned above, tools like WDAC are very effective at this. They ensure that only approved and trusted applications can be executed.
- Use Multi-Factor Authentication (MFA): MFA is a critical defense against stolen passwords. Even if an attacker has a user’s password, they can’t log in without the second factor. The strongest forms of MFA are phishing-resistant, like FIDO2 security keys.
- Protect Identities: Use tools that can automatically spot and respond to risky user sign-ins or strange behavior on an account.
- Deploy SIEM and XDR: These tools act like a central command center for your security. They gather security data from all over your network—from individual computers to the cloud—to give you a single, unified view of all potential threats.
Use Threat Intelligence and Plan Your Response
A good defense is a proactive one. This means you need to know what threats are out there and have a clear plan for what to do when something goes wrong.
- Monitor for Strange Activity: Continuously watch for unusual changes to the registry or suspicious commands being run.
- Look for Indicators of Compromise (IoCs): IoCs are clues that you may have been hacked. They can include things like strange network traffic leaving your company, a sudden spike in failed login attempts, or web traffic that doesn’t look like it was created by a human.
- Train Your Teams: Your cybersecurity staff and your developers need to be constantly learning about new threats. All of your employees should be trained to spot common attacks like phishing emails.
- Have an Incident Response Plan: Every organization needs a step-by-step plan for what to do during a security breach. This plan should cover everything from how to detect an attack to how to recover from it.
6. Conclusion
A layered defense is the best way to counter Component Object Model (COM) hijacking. This attack method is effective because it blends into normal Windows operations, making it difficult to spot. You can reduce your exposure. Proper system configurations and application controls limit an attacker’s options. Monitoring registry changes and process activity helps you find threats before they cause significant damage. Addressing this specific vulnerability strengthens your entire security framework.
Let us help you build a stronger defense. Schedule a security consultation with our experts today.