Emerging Threat: Kiss Loader Malware Exploits Early Bird APC Injection

Severity: High (Score: 63.5)

Sources: Cybersecuritynews, Socprime, Feeds.Feedburner, Gbhackers

Summary

A new malware loader named 'Kiss Loader' has been identified, utilizing advanced process injection techniques, specifically Early Bird APC injection, to infiltrate Windows systems. The malware was first spotted in early March 2026 and is still under active development, indicating a potential for future evolution into a more sophisticated attack tool. The infection vector begins with a Windows Internet Shortcut file that connects to a remote WebDAV resource, allowing the attacker to dynamically host payloads. Kiss Loader employs a multi-stage execution flow, including a JScript component that orchestrates the infection process and establishes persistence on the victim's system. The loader is capable of deploying additional payloads, including a variant of VenomRAT. Security analysts are closely monitoring this emerging threat as it poses significant risks to users and organizations alike. Key Points: • Kiss Loader uses Early Bird APC injection to stealthily infiltrate Windows systems. • The malware was first detected in early March 2026 and is still under active development. • It employs a multi-stage execution flow, including dynamic payload delivery via WebDAV.

Key Entities

• Malware (attack_type)
• AsyncRAT (malware)
• Kiss Loader (malware)
• Kryptik (malware)
• VenomRAT (malware)
• T1055.003 - Thread Execution Hijacking (mitre_attack)
• T1055.012 - Process Hollowing (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1071.001 - Web Protocols (mitre_attack)
• Windows (platform)
• Donut (tool)