The Malware That Chats Back: Inside G DATA’s Real-Time Notepad Encounter with the “Kiss Loader” Author
Ddos 
Kiss Loader Execution Chain Overview | Image: G DATA
While analyzing a new piece of malware dubbed “Kiss Loader,” G DATA Security Center found themselves in a real-time conversation with the threat actor through a Notepad window.This rare encounter provided an unprecedented look into the development of a potential emerging threat that is still actively being refined by its creator.
The infection chain begins with a deceptive Windows Internet Shortcut file. This file connects to a remote WebDAV resource hosted through a TryCloudflare tunnel, allowing the attacker to dynamically modify payloads without dedicated infrastructure.
The technical flow of the malware is highly orchestrated:
- A shortcut file disguised as a PDF document requires user interaction to begin the chain.
- The shortcut launches a Windows Script Host (WSH) script, which transitions into a JScript component.
- This stage establishes persistence in the user’s Startup folder and downloads the primary loader.
- A Python-based loader, identified as Kiss Loader, decrypts embedded shellcode generated using the open-source tool Donut.
- The G DATA team identified the ultimate payloads as VenomRAT (an AsyncRAT variant) and a .NET Reactor-protected utility.
Kiss Loader stands out for its use of the Early Bird APC injection technique. By creating a legitimate process like explorer.exe in a suspended state, the loader can queue an Asynchronous Procedure Call (APC) to the primary thread.
As the analysis explains, “Upon resuming the thread, the queued APC is executed before the process begins normal execution, allowing the injected shellcode to run under the context of a trusted process”. This method is specifically designed to enhance stealth and evade modern security detection.
The most remarkable aspect of the report is the direct interaction with the malware author. While the analyst was attempting to dump the decrypted payload in a controlled environment, the system began behaving erratically—analysis tools were abruptly shut down and the cursor started moving on its own.
Realizing they were being watched, the analyst opened Notepad and typed: “Hello! Are you the author of this malware?”.
“After roughly an hour, a response appeared”. The ensuing chat, conducted entirely via Notepad, saw the threat actor admitting to his work and claiming to be from Malawi. The author even confirmed technical details, identifying his chosen method as “eary bird injection”.
“It is rare to engage directly with a threat actor during active development, and even rarer to receive confirmation of specific techniques in real time,” the analyst remarked.
The investigation revealed that Kiss Loader is a work in progress. Evidence found in the open WebDAV directory showed files were deployed as recently as March 10, 2026. The source code even contained “lab testing utilities” and extensive inline comments, suggesting the author may have used automated code generation tools during development.
While the conversation ended abruptly when the threat actor stopped replying, the event serves as a stark reminder that behind every line of malicious code is a human adversary watching from the other side of the screen.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
