Kiss Loader Malware - New Threat Using APC Injection Detected
Basically, Kiss Loader is a new malware that sneaks into computers without being noticed.
Kiss Loader malware has been detected, using advanced techniques to infiltrate Windows systems. Users are at risk if they open unverified files. Security teams must act quickly to mitigate this threat.
What Happened
A newly discovered malware loader, Kiss Loader, has emerged as a serious threat to Windows systems. First spotted in early March 2026, this malware uses advanced code injection techniques to infiltrate systems without raising alarms. Researchers at G DATA uncovered this threat during a routine investigation, revealing a carefully built attack campaign that was still under development when they first detected it.
Kiss Loader spreads through a Windows Internet Shortcut file disguised as a PDF document. When a victim clicks on the file named DKM_DE000922.pdf.url, the system silently connects to a remote server via a TryCloudflare tunnel. This method allows attackers to update or swap malicious files easily, making it challenging for security teams to track and block the threat effectively.
Who's Being Targeted
The primary targets of Kiss Loader are unsuspecting Windows users who may inadvertently open malicious files. The loader's use of a decoy PDF keeps victims unaware while it executes its malicious payload. Once inside a system, Kiss Loader initiates a layered infection process, ensuring it remains persistent by placing a file in the Windows Startup folder. This means the malware runs automatically every time the computer is rebooted.
The malware's stealthy approach makes it particularly dangerous. By utilizing a trusted process like explorer.exe, Kiss Loader can blend in with normal system activity, significantly reducing the chances of detection by traditional security measures.
Signs of Infection
Users should be vigilant for signs of infection, such as unexpected system behavior or unexplained slowdowns. If a user has clicked on unverified .url files, they should immediately check for any unusual processes running on their system. The presence of a decoy PDF on the screen may also indicate that Kiss Loader is active.
Security teams should configure their Endpoint Detection and Response (EDR) solutions to detect APC-based injection targeting processes like explorer.exe. Monitoring outbound connections to TryCloudflare domains can also provide early warning signals of compromise.
How to Protect Yourself
To protect against Kiss Loader and similar threats, users should avoid opening .url files from unverified sources. Keeping Windows and installed software updated is crucial to reduce exposure to vulnerabilities that attackers exploit. Administrators should enforce proper authentication on WebDAV directories to prevent open payload hosting, which Kiss Loader relies on for its operations.
In summary, the emergence of Kiss Loader highlights the need for heightened awareness and proactive security measures. By understanding the tactics used by this malware, users and organizations can better defend against future attacks.