A newly discovered malware loader called Kiss Loader has emerged as a serious threat, using advanced code injection techniques to quietly infiltrate Windows systems without raising alarms.
First spotted in early March 2026, it marks the beginning of a carefully built attack campaign that was still actively under development when researchers first caught it.
Kiss Loader spreads through a Windows Internet Shortcut file disguised as a PDF document, named DKM_DE000922.pdf.url.
When a victim clicks it, the system silently connects to a remote server hosted through a TryCloudflare tunnel — a legitimate service that creates temporary internet connections without needing a registered domain.
This use of trusted infrastructure lets the attacker freely update or swap malicious files, making the campaign significantly harder to track and block in time.
G DATA analysts identified Kiss Loader during a routine investigation that turned into something far more unusual.
The malware had not been seen before in the wild, marking it as a newly built tool designed specifically for this campaign.
Analysts noted that the attacker’s WebDAV file hosting directory was completely open with no access restrictions, revealing the threat actor was still actively working on the loader when researchers first encountered it.
.webp)
Once inside a target system, Kiss Loader begins a layered infection process. A batch script places a persistence file into the Windows Startup folder so the malware runs automatically on every reboot, while a decoy PDF appears on screen to keep the victim unaware.
Additional components download quietly in the background, and the arriving archive contains a Python-based loader that decrypts payloads using keys from JSON configuration files, keeping the malicious code hidden until the final stage.
Two payloads were recovered — VenomRAT, an AsyncRAT-like remote access tool, and a .NET Reactor-protected file identified as Kryptik.
Perhaps the most striking element of this case was the direct exchange between analyst and attacker. During controlled environment analysis, a G DATA researcher left a Notepad message asking if the person on the other end had authored the malware.
.webp)
About an hour later, the threat actor replied — confirming active presence on the compromised machine and acknowledging that the Early Bird APC injection technique was intentionally built into the loader.
Early Bird APC Injection: How Kiss Loader Evades Detection
The core of Kiss Loader’s evasion strategy is Early Bird APC injection, which delivers its payload inside a legitimate Windows process.
The loader targets explorer.exe, a trusted system process, to blend in with normal activity and avoid triggering security alerts.
.webp)
Kiss Loader first launches explorer.exe in a suspended state, meaning the process starts but holds before executing any normal tasks. The loader then allocates memory inside the process and writes the decrypted shellcode into it.
Rather than creating a new thread — a method that security tools actively monitor — it queues an Asynchronous Procedure Call to the suspended process’s primary thread instead.
.webp)
When execution resumes, the APC fires first, running the shellcode before Explorer begins normal operation, all within a trusted process context.
The shellcode was built using Donut, an open-source tool that converts .NET assemblies into memory-only shellcode, leaving nothing written to disk and making traditional antivirus detection far less effective.
The loader also generates detailed runtime output logging each injection step, confirming it was still in a testing phase at the time of discovery.
Users should avoid opening .url files from unverified sources, as this is Kiss Loader’s primary entry point.
Security teams should configure EDR solutions to detect APC-based injection targeting processes like explorer.exe, and monitor outbound connections to TryCloudflare domains for early compromise signals.
Administrators should enforce proper authentication on WebDAV directories to prevent open payload hosting. Keeping Windows and installed software updated reduces exposure to techniques that weaponize built-in system functionality for malicious purposes.
IoCs:-
| File / Hash | Type |
|---|---|
6abd118a0e6f5d67bfe1a79dacc1fd198059d8d66381563678f4e27ecb413fa7 | DKM_DE000922.pdf.url |
e8f83d67a6b894399fad774ac196c71683de9ddca3cf0441bb95318f5136b553 | oa.wsh |
549c1f1998f22e06dde086f70f031dbf5a3481bd3c5370d7605006b6a20b5b0b | ccv.js |
6d62b39805529aefe0ac0270a0b805de6686d169348a90866bf47a07acde2284 | gg.bat |
b4525711eafbd70288a9869825e5bb3045af072b5821cf8fbc89245aba57270a | pol.bat |
e8dbdab0afac4decce1e4f8e74cc1c1649807f791c29df20ff72701a9086c2a0 | vwo.zip |
5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6 | so.py (Kiss Loader) |
130ca411a3ef6c37dbd0b1746667b1386c3ac3be089c8177bc8bee5896ad2a02 | Decrypted ov.bin — VenomRAT |
2b40a8a79b6cf90160450caaad12f9c178707bead32bcc187deb02f71c25c354 | Decrypted tv.bin — Kryptik |
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
