Kiss Loader is a new type of malware loader that uses advanced code injection methods to get into Windows systems without raising any alarms This article explores malware loader uses. . The DKM_DE000922.url file is a Windows Internet Shortcut file that looks like a PDF document.
This is how Kiss Loader spreads. When a victim clicks it, the system quietly connects to a remote server that is hosted through a TryCloudflare tunnel. The loader uses Early Bird APC injection to deliver its payload inside a trusted system process so that it doesn't stand out and set off security alerts. Donut, an open-source tool that turns .NET assemblies into memory-only shellcode, was used to make the shellcode.
This means that nothing is written to disk, which makes traditional antivirus detection much less effective.
It also makes detailed runtime logs of each injection step, which shows that it was still in the testing phase when it was found. People shouldn't open .url files from sources they don't trust. Security teams should set up EDR solutions to find processes that are targeting APC-based injection.
To stop open payload hosting, administrators should make sure that WebDAV directories are properly authenticated. Keeping Windows and installed software up to date makes it less likely that hackers will use built-in system features for bad purposes. To Get More Updates Right Away, Set Google to prefer ZeroOwl. If you need private help, call the Samaritans at 08457 90 90 90, go to a local branch, or click here for more information.
If you're in the U.S., you can call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/.
The Samaritans' helpline in the UK is 0800 0800 909090. You can get help there without anyone knowing.
