Kiss Loader is a loader written in Python that is still being worked on This article explores kiss loader loader. . Researchers first noticed it on March 10, 2026, when they saw new files on an open WebDAV directory that didn't have any access restrictions.
The malware uses a layered execution chain to stay hidden, give remote access tools, and stay on infected computers. Putting the Early Bird APC into the real Windows process explorer is the last step in the execution. The threat actor confirmed that they could access the system from a distance, talked about how they made the malware, and said they were working on it in different ways while trying out different methods. When asked directly about the injection method, the actor said it was "early bird injection," which confirmed the technical findings in real time.
The conversation was short, and the actor stopped answering and didn't get back in touch. This incident shows an important but rare rule: analysis environments must stay completely separate from each other, because the line between analyst and enemy can get very thin. The attack starts with a Windows Internet Shortcut file called DKM_DE000922.pdf.
The loader makes the target process wait, gives it executable memory, and writes decrypted shellcode into it. It puts an Asynchronous Procedure Call (APC) in line for the main thread of the process that is on hold. The APC runs before the normal process execution starts when the thread resumes. This lets the shellcode run in the context of a trusted system process, which makes it much harder to find.
