Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Home/Threats/Kiss Loader Malware Uses Early Bird APC Injection in New Attack Campaign
Threats

Kiss Loader Malware Uses Early Bird APC Injection in New Attack Campaign

Key Takeaways A new malware loader, dubbed Kiss Loader, has been discovered targeting Windows systems with sophisticated code injection. The malware utilizes a rare “Early Bird”...

Emy Elsamnoudy
Emy Elsamnoudy
March 26, 2026 4 Min Read
36 0

Key Takeaways

  • A new malware loader, dubbed Kiss Loader, has been discovered targeting Windows systems with sophisticated code injection.
  • The malware utilizes a rare “Early Bird” Asynchronous Procedure Call (APC) injection technique to evade detection by security software.
  • Initial infection occurs via a malicious Windows Internet Shortcut file disguised as a PDF, leading to the deployment of VenomRAT and Kryptik payloads.
  • Researchers from G DATA observed the malware campaign actively under development, even interacting directly with the threat actor.

A sophisticated new malware loader, identified as Kiss Loader, has been found leveraging advanced code injection methods to compromise Windows systems. This stealthy threat is designed to bypass conventional security defenses, allowing for covert infiltration and persistent presence.

Table Of Content

  • Key Takeaways
  • Early Bird APC Injection: How Kiss Loader Evades Detection
  • What You Should Do

Researchers first detected Kiss Loader in early March 2026, noting that the attack campaign was still in its development stages at the time of discovery. The ongoing nature of its creation suggests an evolving and adaptive threat.

Kiss Loader propagates primarily through a deceptive Windows Internet Shortcut file, cunningly named DKM_DE000922.pdf.url, which masquerades as a legitimate PDF document. When an unsuspecting user clicks this shortcut, their system establishes a silent connection to a remote server. This server is hosted via a TryCloudflare tunnel, a legitimate service that attackers exploit to establish temporary internet connections without the need for a registered domain. This tactic allows the threat actor to frequently update or swap malicious files, complicating tracking and blocking efforts for defenders.

Analysts at G DATA uncovered Kiss Loader during a routine investigation, quickly realizing they had stumbled upon a previously unseen malware. Its novelty indicated a custom-built tool tailored for this specific campaign. A critical observation made by the analysts was the attacker’s WebDAV file hosting directory, which was left entirely open without any access restrictions. This oversight provided a clear indication that the threat actor was actively engaged in developing the loader when researchers first encountered it.

Upon successful infiltration of a target system, Kiss Loader initiates a multi-stage infection process. A batch script ensures persistence by placing a file in the Windows Startup folder, guaranteeing the malware executes with every system reboot. Simultaneously, a decoy PDF document is displayed to the victim, maintaining the illusion of a harmless file interaction. In the background, additional malicious components are downloaded. The arriving archive contains a Python-based loader that uses keys from JSON configuration files to decrypt its payloads, keeping the malicious code obscured until the final execution phase. During analysis, two primary payloads were recovered: VenomRAT, a remote access tool similar to AsyncRAT, and Kryptik, a file protected by .NET Reactor.

In a rare turn of events, a G DATA researcher engaged in a direct exchange with the threat actor. While analyzing the malware in a controlled environment, the researcher left a Notepad message querying the author of the malware. Approximately an hour later, the threat actor responded, confirming their active presence on the compromised machine and explicitly acknowledging that the “Early Bird” APC injection technique was a deliberate design choice within the loader.

Early Bird APC Injection: How Kiss Loader Evades Detection

The cornerstone of Kiss Loader’s evasion capabilities lies in its use of “Early Bird” APC injection. This technique allows the malware to deliver its malicious payload within a trusted Windows process, specifically targeting explorer.exe. By injecting into a legitimate system process, the loader effectively blends its activity with normal system operations, significantly reducing the likelihood of triggering security alerts.

The injection process begins with Kiss Loader launching explorer.exe in a suspended state. This means the process is initialized but paused before it can execute any of its standard functions. The loader then allocates a section of memory within this suspended process and writes its decrypted shellcode into it. Crucially, instead of creating a new thread—a common technique that security tools are designed to monitor—Kiss Loader queues an Asynchronous Procedure Call (APC) to the primary thread of the suspended explorer.exe process.

When the suspended explorer.exe process is resumed, the APC is executed first, running the malicious shellcode before the legitimate Explorer operations commence. This entire sequence unfolds within the trusted context of explorer.exe, making it exceptionally difficult for traditional security solutions to detect the anomalous activity.

The shellcode itself is crafted using Donut, an open-source tool that converts .NET assemblies into memory-only shellcode. This approach prevents any malicious files from being written to disk, further diminishing the effectiveness of signature-based antivirus detection. The loader also generates comprehensive runtime output logs detailing each step of the injection process, which inadvertently provided researchers with additional evidence that the malware was still undergoing testing at the time of its discovery.

What You Should Do

  • Exercise Caution with .url Files: Never open .url files from untrusted or unexpected sources, as this is Kiss Loader’s primary infection vector.
  • Enhance EDR Monitoring: Configure Endpoint Detection and Response (EDR) solutions to specifically detect APC-based injection attempts targeting critical processes like explorer.exe.
  • Monitor Network Traffic: Implement robust monitoring for outbound connections to TryCloudflare domains, as these are exploited by attackers to host and deliver malicious payloads.
  • Secure WebDAV Directories: Ensure all WebDAV directories and similar file-sharing services are protected with strong authentication and access restrictions to prevent unauthorized payload hosting.
  • Keep Systems Updated: Regularly update Windows operating systems and all installed software to patch vulnerabilities that could be exploited by advanced injection techniques.

IoCs:-

File / Hash Type
6abd118a0e6f5d67bfe1a79dacc1fd198059d8d66381563678f4e27ecb413fa7 DKM_DE000922.pdf.url
e8f83d67a6b894399fad774ac196c71683de9ddca3cf0441bb95318f5136b553 oa.wsh
549c1f1998f2e06dde086f70f031dbf5a3481bd3c5370d7605006b6a20b5b0b ccv.js
6d62b39805529aefe0ac0270a0b805de6686d169348a90866bf47a07acde2284 gg.bat
b4525711eafbd70288a9869825e5bb3045af072b5821cf8fbc89245aba57270a pol.bat
e8dbdab0afac4decce1e4f8e74cc1c1649807f791c29df20ff72701a9086c2a0 vwo.zip
5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6 so.py (Kiss Loader)
130ca411a3ef6c37dbd0b1746667b1386c3ac3be089c8177bc8bee5896ad2a02 Decrypted ov.bin — VenomRAT
2b40a8a79b6cf90160450caaad12f9c178707bead32bcc187deb02f71c25c354 Decrypted tv.bin — Kryptik

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

New npm Supply Chain Attack Hides RAT Malware in Fake Install Messages

Next Post

OpenAI Launches Bug Bounty for AI Model Vulnerabilities

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us