Kiss Loader Malware Uses Early Bird APC Injection in New Attack Campaign
Key Takeaways A new malware loader, dubbed Kiss Loader, has been discovered targeting Windows systems with sophisticated code injection. The malware utilizes a rare “Early Bird”...
Key Takeaways
- A new malware loader, dubbed Kiss Loader, has been discovered targeting Windows systems with sophisticated code injection.
- The malware utilizes a rare “Early Bird” Asynchronous Procedure Call (APC) injection technique to evade detection by security software.
- Initial infection occurs via a malicious Windows Internet Shortcut file disguised as a PDF, leading to the deployment of VenomRAT and Kryptik payloads.
- Researchers from G DATA observed the malware campaign actively under development, even interacting directly with the threat actor.
A sophisticated new malware loader, identified as Kiss Loader, has been found leveraging advanced code injection methods to compromise Windows systems. This stealthy threat is designed to bypass conventional security defenses, allowing for covert infiltration and persistent presence.
Table Of Content
Researchers first detected Kiss Loader in early March 2026, noting that the attack campaign was still in its development stages at the time of discovery. The ongoing nature of its creation suggests an evolving and adaptive threat.
Kiss Loader propagates primarily through a deceptive Windows Internet Shortcut file, cunningly named DKM_DE000922.pdf.url, which masquerades as a legitimate PDF document. When an unsuspecting user clicks this shortcut, their system establishes a silent connection to a remote server. This server is hosted via a TryCloudflare tunnel, a legitimate service that attackers exploit to establish temporary internet connections without the need for a registered domain. This tactic allows the threat actor to frequently update or swap malicious files, complicating tracking and blocking efforts for defenders.
Analysts at G DATA uncovered Kiss Loader during a routine investigation, quickly realizing they had stumbled upon a previously unseen malware. Its novelty indicated a custom-built tool tailored for this specific campaign. A critical observation made by the analysts was the attacker’s WebDAV file hosting directory, which was left entirely open without any access restrictions. This oversight provided a clear indication that the threat actor was actively engaged in developing the loader when researchers first encountered it.
Upon successful infiltration of a target system, Kiss Loader initiates a multi-stage infection process. A batch script ensures persistence by placing a file in the Windows Startup folder, guaranteeing the malware executes with every system reboot. Simultaneously, a decoy PDF document is displayed to the victim, maintaining the illusion of a harmless file interaction. In the background, additional malicious components are downloaded. The arriving archive contains a Python-based loader that uses keys from JSON configuration files to decrypt its payloads, keeping the malicious code obscured until the final execution phase. During analysis, two primary payloads were recovered: VenomRAT, a remote access tool similar to AsyncRAT, and Kryptik, a file protected by .NET Reactor.
In a rare turn of events, a G DATA researcher engaged in a direct exchange with the threat actor. While analyzing the malware in a controlled environment, the researcher left a Notepad message querying the author of the malware. Approximately an hour later, the threat actor responded, confirming their active presence on the compromised machine and explicitly acknowledging that the “Early Bird” APC injection technique was a deliberate design choice within the loader.
Early Bird APC Injection: How Kiss Loader Evades Detection
The cornerstone of Kiss Loader’s evasion capabilities lies in its use of “Early Bird” APC injection. This technique allows the malware to deliver its malicious payload within a trusted Windows process, specifically targeting explorer.exe. By injecting into a legitimate system process, the loader effectively blends its activity with normal system operations, significantly reducing the likelihood of triggering security alerts.
The injection process begins with Kiss Loader launching explorer.exe in a suspended state. This means the process is initialized but paused before it can execute any of its standard functions. The loader then allocates a section of memory within this suspended process and writes its decrypted shellcode into it. Crucially, instead of creating a new thread—a common technique that security tools are designed to monitor—Kiss Loader queues an Asynchronous Procedure Call (APC) to the primary thread of the suspended explorer.exe process.
When the suspended explorer.exe process is resumed, the APC is executed first, running the malicious shellcode before the legitimate Explorer operations commence. This entire sequence unfolds within the trusted context of explorer.exe, making it exceptionally difficult for traditional security solutions to detect the anomalous activity.
The shellcode itself is crafted using Donut, an open-source tool that converts .NET assemblies into memory-only shellcode. This approach prevents any malicious files from being written to disk, further diminishing the effectiveness of signature-based antivirus detection. The loader also generates comprehensive runtime output logs detailing each step of the injection process, which inadvertently provided researchers with additional evidence that the malware was still undergoing testing at the time of its discovery.
What You Should Do
- Exercise Caution with .url Files: Never open
.urlfiles from untrusted or unexpected sources, as this is Kiss Loader’s primary infection vector. - Enhance EDR Monitoring: Configure Endpoint Detection and Response (EDR) solutions to specifically detect APC-based injection attempts targeting critical processes like
explorer.exe. - Monitor Network Traffic: Implement robust monitoring for outbound connections to TryCloudflare domains, as these are exploited by attackers to host and deliver malicious payloads.
- Secure WebDAV Directories: Ensure all WebDAV directories and similar file-sharing services are protected with strong authentication and access restrictions to prevent unauthorized payload hosting.
- Keep Systems Updated: Regularly update Windows operating systems and all installed software to patch vulnerabilities that could be exploited by advanced injection techniques.
IoCs:-
| File / Hash | Type |
|---|---|
6abd118a0e6f5d67bfe1a79dacc1fd198059d8d66381563678f4e27ecb413fa7 |
DKM_DE000922.pdf.url |
e8f83d67a6b894399fad774ac196c71683de9ddca3cf0441bb95318f5136b553 |
oa.wsh |
549c1f1998f2e06dde086f70f031dbf5a3481bd3c5370d7605006b6a20b5b0b |
ccv.js |
6d62b39805529aefe0ac0270a0b805de6686d169348a90866bf47a07acde2284 |
gg.bat |
b4525711eafbd70288a9869825e5bb3045af072b5821cf8fbc89245aba57270a |
pol.bat |
e8dbdab0afac4decce1e4f8e74cc1c1649807f791c29df20ff72701a9086c2a0 |
vwo.zip |
5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6 |
so.py (Kiss Loader) |
130ca411a3ef6c37dbd0b1746667b1386c3ac3be089c8177bc8bee5896ad2a02 |
Decrypted ov.bin — VenomRAT |
2b40a8a79b6cf90160450caaad12f9c178707bead32bcc187deb02f71c25c354 |
Decrypted tv.bin — Kryptik |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.


No Comment! Be the first one.