New Kiss Loader Malware Uses Early Bird APC Injection in Emerging Attack Campaign

Home Cyber Security News New Kiss Loader Malware Uses Early Bird APC Injection in Emerging Attack... A newly discovered malware loader called Kiss Loader has emerged as a serious threat, using advanced code injection techniques to quietly infiltrate Windows systems without raising alarms. First spotted in early March 2026, it marks the beginning of a carefully built attack campaign that was still actively under development when researchers first caught it. Kiss Loader spreads through a Windows Internet Shortcut file disguised as a PDF document, named DKM_DE000922.pdf.url. When a victim clicks it, the system silently connects to a remote server hosted through a TryCloudflare tunnel — a legitimate service that creates temporary internet connections without needing a registered domain. This use of trusted infrastructure lets the attacker freely update or swap malicious files, making the campaign significantly harder to track and block in time. G DATA analysts identified Kiss Loader during a routine investigation that turned into something far more unusual. The malware had not been seen before in the wild, marking it as a newly built tool designed specifically for this campaign. Analysts noted that the attacker’s WebDAV file hosting directory was completely open with no access restrictions, revealing the threat actor was still actively working on the loader when researchers first encountered it. Open WebDAV Repository Used for Payload Delivery (Source – G DATA) Once inside a target system, Kiss Loader begins a layered infection process. A batch script places a persistence file into the Windows Startup folder so the malware runs automatically on every reboot, while a decoy PDF appears on screen to keep the victim unaware. Additional components download quietly in the background, and the arriving archive contains a Python-based loader that decrypts payloads using keys from JSON configuration files, keeping the malicious code hidden until the final stage. Two payloads were recovered — VenomRAT, an AsyncRAT-like remote access tool, and a .NET Reactor-protected file identified as Kryptik. Perhaps the most striking element of this case was the direct exchange between analyst and attacker. During controlled environment analysis, a G DATA researcher left a Notepad message asking if the person on the other end had authored the malware. Direct Interaction with Threat Actor via Notepad During Analysis (Source – G DATA) About an hour later, the threat actor replied — confirming active presence on the compromised machine and acknowledging that the Early Bird APC injection technique was intentionally built into the loader. Early Bird APC Injection: How Kiss Loader Evades Detection The core of Kiss Loader’s evasion strategy is Early Bird APC injection, which delivers its payload inside a legitimate Windows process. The loader targets explorer.exe, a trusted system process, to blend in with normal activity and avoid triggering security alerts. Early Bird APC Injection Implementation in Kiss Loader (Source – G DATA) Kiss Loader first launches explorer.exe in a suspended state, meaning the process starts but holds before executing any normal tasks. The loader then allocates memory inside the process and writes the decrypted shellcode into it. Rather than creating a new thread — a method that security tools actively monitor — it queues an Asynchronous Procedure Call to the suspended process’s primary thread instead. Kiss Loader Execution Chain Overview (Source – G DATA) When execution resumes, the APC fires first, running the shellcode before Explorer begins normal operation, all within a trusted process context. The shellcode was built using Donut, an open-source tool that converts .NET assemblies into memory-only shellcode, leaving nothing written to disk and making traditional antivirus detection far less effective. The loader also generates detailed runtime output logging each injection step, confirming it was still in a testing phase at the time of discovery. Users should avoid opening .url files from unverified sources, as this is Kiss Loader’s primary entry point. Security teams should configure EDR solutions to detect APC-based injection targeting processes like explorer.exe, and monitor outbound connections to TryCloudflare domains for early compromise signals. Administrators should enforce proper authentication on WebDAV directories to prevent open payload hosting. Keeping Windows and installed software updated reduces exposure to techniques that weaponize built-in system functionality for malicious purposes. IoCs:- File / Hash Type 6abd118a0e6f5d67bfe1a79dacc1fd198059d8d66381563678f4e27ecb413fa7 DKM_DE000922.pdf.url e8f83d67a6b894399fad774ac196c71683de9ddca3cf0441bb95318f5136b553 oa.wsh 549c1f1998f22e06dde086f70f031dbf5a3481bd3c5370d7605006b6a20b5b0b ccv.js 6d62b39805529aefe0ac0270a0b805de6686d169348a90866bf47a07acde2284 gg.bat b4525711eafbd70288a9869825e5bb3045af072b5821cf8fbc89245aba57270a pol.bat e8dbdab0afac4decce1e4f8e74cc1c1649807f791c29df20ff72701a9086c2a0 vwo.zip 5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6 so.py (Kiss Loader) 130ca411a3ef6c37dbd0b1746667b1386c3ac3be089c8177bc8bee5896ad2a02 Decrypted ov.bin — VenomRAT 2b40a8a79b6cf90160450caaad12f9c178707bead32bcc187deb02f71c25c354 Decrypted tv.bin — Kryptik Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Fake npm Install Messages Hide RAT Malware in New Open Source Supply Chain Campaign Cyber Security News Fake VS Code Security Alerts on GitHub Used to Push Malware in Widespread Phishing Campaign Cyber Security News Ghost SPN Attack Lets Hackers Conduct Stealthy Kerberoasting Under the Radar Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026