A new malware loader, dubbed Kiss Loader, has been identified by cybersecurity researchers, employing sophisticated code injection techniques to compromise Windows systems undetected. Discovered in early March 2026, Kiss Loader represents a nascent attack campaign still under active development by its creators. The malware’s initial distribution vector involves a Windows Internet Shortcut file (.url) ingeniously disguised as a PDF document, leading victims to a remote server hosted via a legitimate TryCloudflare tunnel, a method that allows for stealthy and flexible payload delivery.
G DATA analysts stumbled upon Kiss Loader during a routine investigation, noting its novelty in the wild and its custom-built nature for this specific campaign. The researchers observed that the attacker’s WebDAV file hosting directory was unsecured, further indicating the threat actor’s ongoing work on the loader when it was first brought to light. This unsecured access allowed for easy modification and swapping of malicious files, significantly complicating efforts to track and neutralize the ongoing threat.
Once executed on a targeted system, Kiss Loader initiates a multi-stage infection process. A batch script establishes persistence by placing a file in the Windows Startup folder, ensuring the malware runs automatically upon system reboots. Simultaneously, a decoy PDF is presented to the user to deflect suspicion. Additional malicious components are downloaded silently in the background. These downloaded archives contain a Python-based loader designed to decrypt embedded payloads using keys extracted from JSON configuration files, thereby concealing the malicious code until its final stage of execution.
During their analysis, researchers recovered two distinct payloads: VenomRAT, identified as a remote access tool similar to AsyncRAT, and Kryptik, a .NET Reactor-protected file. In a remarkable instance of direct interaction, a G DATA researcher posed a question to the threat actor via a Notepad message within a controlled analysis environment. Approximately an hour later, the attacker responded, confirming their presence on the compromised machine and acknowledging the deliberate inclusion of the Early Bird APC injection technique within the Kiss Loader’s architecture.
Early Bird APC Injection: How Kiss Loader Evades Detection
The primary mechanism enabling Kiss Loader’s stealth is its implementation of Early Bird APC injection. This evasion technique involves injecting the malware’s payload into a legitimate, trusted Windows process, thereby masking its malicious activity as normal system operations. The loader specifically targets the `explorer.exe` process, a core component of the Windows graphical interface, making it exceptionally difficult for security solutions to distinguish malicious actions from legitimate ones.
Kiss Loader initiates this injection by launching `explorer.exe` in a suspended state, preventing it from executing its normal functions immediately. The loader then allocates memory space within this suspended process and writes the decrypted shellcode into it. Instead of creating a new thread, which is a common target for security monitoring, Kiss Loader queues an Asynchronous Procedure Call (APC) to the suspended process’s primary thread. When the `explorer.exe` process resumes execution, the APC is processed first, running the malicious shellcode before the legitimate Explorer functionalities commence, all within the trusted context of the system process.
The shellcode itself is reportedly generated using Donut, an open-source tool capable of converting .NET assemblies into memory-only shellcode. This approach eliminates the need to write any malicious code directly to disk, significantly hindering the effectiveness of traditional antivirus software. The detailed runtime output logs captured during analysis also confirmed that the malware was still undergoing testing and refinement at the time of its discovery.
To mitigate the risks associated with Kiss Loader and similar advanced threats, users are strongly advised to exercise caution and avoid opening `.url` files from unverified or untrusted sources, as this represents the malware’s primary entry point. Security teams should enhance their Endpoint Detection and Response (EDR) solutions to detect APC-based injection attempts targeting critical processes such as `explorer.exe`. Monitoring outbound network connections to TryCloudflare domains can also provide early indicators of compromise. Furthermore, administrators should enforce proper authentication and access controls on WebDAV directories to prevent their misuse for hosting malicious payloads. Maintaining up-to-date Windows operating systems and installed software is crucial for patching vulnerabilities that attackers might exploit by weaponizing built-in system functionalities.
Indicators of Compromise (IoCs) include the following files and hashes:
| File / Hash | Type |
|---|---|
6abd118a0e6f5d67bfe1a79dacc1fd198059d8d66381563678f4e27ecb413fa7 |
DKM_DE000922.pdf.url |
e8f83d67a6b894399fad774ac196c71683de9ddca3cf0441bb95318f5136b553 |
oa.wsh |
549c1f1998f22e06dde086f70f031dbf5a3481bd3c5370d7605006b6a20b5b0b |
ccv.js |
6d62b39805529aefe0ac0270a0b805de6686d169348a90866bf47a07acde2284 |
gg.bat |
b4525711eafbd70288a9869825e5bb3045af072b5821cf8fbc89245aba57270a |
pol.bat |
e8dbdab0afac4decce1e4f8e74cc1c1649807f791c29df20ff72701a9086c2a0 |
vwo.zip |
5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6 |
so.py (Kiss Loader) |
130ca411a3ef6c37dbd0b1746667b1386c3ac3be089c8177bc8bee5896ad2a02 |
Decrypted ov.bin — VenomRAT |
2b40a8a79b6cf90160450caaad12f9c178707bead32bcc187deb02f71c25c354 |
Decrypted tv.bin — Kryptik |
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.