Malware News When Malware Talks Back: Real-Time Interaction with a Threat Actor During the Analysis of Kiss Loader

[Khushal]

Content source

https://blog.gdatasoftware.com/2026/03/38399-analysis-kissloader

KissLoader: An Analysis and an Unexpected Encounter

Analysis of Kiss Loader, a newly observed malware loader using WebDAV and Early Bird APC injection - ending in a rare live exchange with its developer.

blog.gdatasoftware.com

Talking to a malware author is a rare occurrence, something most analysts hear about but rarely experience themselves. Identifying the individual behind a malware campaign is often one of the most difficult aspects of threat research. In this case, what began as a routine investigation quickly turned into a direct and unexpected encounter with the person behind the code.

 

[Halp2001]

This is a fascinating and almost surreal story. Even if it doesn't change how we protect ourselves as home users, it reminds us that behind every attack, there's a real person with their own motives and ego. Seeing the 'face' (or at least the voice) behind the malware breaks the idea that we are just fighting against machines. What an incredible encounter!

 

[Parkinsond]

The infection begins with a Windows Internet Shortcut file (DKM_DE000922.pdf.url) that triggers execution and connects to a remote WebDAV resource hosted through a TryCloudflare tunnel.

Again, stay away from any lnk file you have not created yourself.

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
The Kiss Loader campaign leverages WebDAV over TryCloudflare to deliver a multi-stage infection chain beginning with a .url shortcut, eventually injecting VenomRAT into explorer.exe via APC injection.

Assessment
The use of a Python-based loader means the threat level for default Windows installations must be downgraded to "Theoretical/Low," as the execution requires a Python interpreter which is not native to the OS. The lack of operational security during development allowed for direct analyst interception.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1059.005
(Command and Scripting Interpreter: VBScript/JScript)

T1059.003
(Windows Command Shell)

T1055.004
(Process Injection: Asynchronous Procedure Call)

T1566.002
(Phishing: Spearphishing Link).

CVE Profile
N/A [CISA KEV Status: Inactive]
The attack relies on native scripting engines and Windows APIs rather than software vulnerabilities.

Telemetry

File Hash (Shortcut)
6abd118a0e6f5d67bfe1a79dacc1fd198059d8d66381563678f4e27ecb413fa7 (DKM_DE000922.pdf.url)

File Hash (Python Loader)
5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6 (so.py)

File Hash (Decrypted VenomRAT)
130ca411a3ef6c37dbd0b1746667b1386c3ac3be089c8177bc8bee5896ad2a02

Constraint
The structure resembles a lab-testing environment. The threat actor explicitly confirmed the TTP via live chat, referring to the technique as "early bird injection".

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Establish policy restricting outbound WebDAV (TCP 80/443 mapping to WebClient) and SMB traffic to unapproved external domains or Cloudflare tunnels.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM alerts for wscript.exe spawning from .url files and network connections to trycloudflare.com subdomains.

Command
Hunt for explorer[.]exe spawning in a suspended state followed by QueueUserAPC API calls originating from Python processes.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints executing gg.bat or pol.bat from unexpected scripting origins.

RECOVER (RC) – Restoration & Trust

Command
Reimage confirmed compromised hosts (due to VenomRAT payload) and validate clean state before returning to production.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Block the default .url, .wsh, and .js file associations in email gateways and web filters.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you clicked a fake PDF shortcut file that unexpectedly launched a command prompt. (Note: Threat execution is conditional upon Python availability).

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and MFA using a known clean device (e.g., phone on 5G), as VenomRAT is capable of advanced credential theft.

Priority 3: Persistence

Command
Check Startup Folders for newly created batch scripts (e.g., pol.bat) and remove them immediately.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Disable WSH if not explicitly required by the organization).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

G DATA CyberDefense Blog