Kiss Loader is a Python-based Windows malware loader first reported in early March 2026. It has been distributed via phishing emails using Windows Internet Shortcut files disguised as PDF documents, including URL/LNK-style lures that connect to attacker-controlled WebDAV resources hosted behind TryCloudflare tunnels. The delivery chain described in the reporting includes a shortcut that launches Windows Script Host and JavaScript components, followed by batch scripts that display a decoy PDF, establish persistence via the Windows Startup folder, and download the Python loader and encrypted payloads.
The loader decrypts payloads from .bin files using keys stored in .json configuration files; one observed sample, so.py, decrypted ov.bin using an XOR key from a.json. Reporting links the encryption style to PurePythonObfuscator-like XOR protection. Kiss Loader then performs Early Bird APC injection into explorer.exe by creating the process in a suspended state, allocating memory in the target process, writing decrypted shellcode, queueing an APC to the primary thread, and resuming the process so the payload executes before normal process initialization. The shellcode was reported as Donut-generated, enabling in-memory execution of embedded .NET payloads without writing them to disk.
Observed payloads associated with Kiss Loader include VenomRAT, described as an AsyncRAT variant or AsyncRAT-like remote access tool, and a .NET Reactor-protected sample identified as Kryptik. Separate reporting on related campaigns also described KISS Loader delivering Donut-packed shellcode and being used in invoice-themed campaigns targeting German and UK businesses, with lures based on legitimate German Chamber of Commerce invoice templates. The malware has been mentioned alongside other modern loaders such as DarkGate and Bumblebee as an example of contemporary Early Bird APC tradecraft.
The infrastructure and infection chains tied to Kiss Loader include open WebDAV directories, TryCloudflare-hosted staging, script components such as oa.wsh, ccv.js, gg.bat, pol.bat, and archives such as vwo.zip. Reported hashes/IOCs mentioned in the source material include so.py SHA256 5cab6bf65f7836371d5c27fbfc20fe10c0c4a11784990ed1a3d2585fa5431ba6, ov.bin SHA256 97b7c807c35e06f2fbc4723844b4dc99188de3c0e920d7b77fffce5f3d9a88db, decrypted ov.bin SHA256 43caced9aa891ec593e4d3f09e9858c5d63ba4f23584e86b6673146e75181045, a.json SHA256 ff5a9c8bad4d0afa5fba68a08cf91dbda0619c06a143dcd0aeb5c2c5dccd0274, and vwo.zip SHA256 ab1ac7b16251a98bf0ca4a8df0c78de21b395ddd0a81aa273dd0fd40a3af7f03. G DATA also reported direct interaction with the operator on a compromised analysis system, during which the actor confirmed that Early Bird APC injection was intentionally built into Kiss Loader.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script
A batch script places a persistence file into the Windows Startup folder...
Kiss Loader first launches explorer.exe in a suspended state... allocates memory inside the process and writes the decrypted shellcode into it.
Kiss Loader spreads through a Windows Internet Shortcut file disguised as a PDF document, named DKM_DE000922.pdf.url ... while a decoy PDF appears on screen to keep the victim unaware.
Kiss Loader first launches explorer.exe in a suspended state... allocates memory inside the process and writes the decrypted shellcode into it.
Attackers spawn a process suspended, queue an APC into its main thread before the AV/EDR’s user-mode hooks have loaded, then resume. The payload runs before the security product begins.
MITRE ATT&CK Mapping ... Defense Evasion Deobfuscate/Decode Files T1140 XOR decryption at runtime
18 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Modern loader cited as using Early Bird APC injection techniques.
KISS Loader is the Python loader used in this attack chain. It decrypts the XOR-protected Donut shellcode using a key from JSON, performs Early Bird APC injection, and executes the payload in explorer.exe.
A Python-based loader that decrypts payloads using XOR keys from JSON files and performs Early Bird APC injection into suspended explorer.exe processes to deploy both dcRAT and XenoRAT.
Python-based malware loader delivered via phishing emails and multi-stage shortcut/script execution, establishing persistence and ultimately decrypting and executing a final payload.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.