GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping
Technical Analysis
Summary
Hide ▲
Show ▼
A new GachiLoader variant uses kidkadi.node to perform PE injection through Vectored Exception Handling, creating an in-memory swapping technique that raises detection and reverse-engineering difficulty. The loader first maps a legitimate DLL, then replaces it on-the-fly with a malicious payload, which helps it evade static scrutiny and execute covertly. That technique is a notable evolution in Windows malware tradecraft because it blends legitimate loading behavior with malicious code execution. It also gives defenders a concrete clue for hunting suspicious DLL loading and exception-driven payload replacement.
Related Happenings
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
SharkLoader loader activity deploying Cobalt Strike Beacon
Malware Activity
H score30
First: 26.06.2026 21:17
Last: 26.06.2026 21:17
Sources 1
About this happening:
A newly observed **SharkLoader** malware operation is staging **Cobalt Strike Beacon** on compromised Windows hosts, expanding post-compromise control and persistence risk. The lo...
SharkLoader loader activity deploying Cobalt Strike Beacon
Malware ActivityAbout this happening: A newly observed **SharkLoader** malware operation is staging **Cobalt Strike Beacon** on compromised Windows hosts, expanding post-compromise control and persistence risk. The lo...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
REF8372 malicious Google Ads CastleStealer delivery campaign
Campaign
H score27
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
REF8372 malicious Google Ads CastleStealer delivery campaign
CampaignAbout this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
Potemkin loader delivering EtherRAT and RMMProject in memory
Malware Activity
H score29
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
About this happening:
The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...
Potemkin loader delivering EtherRAT and RMMProject in memory
Malware ActivityAbout this happening: The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...
Timeline
-
19.12.2025 17:34 1 articles · 6mo ago
YouTube Ghost Network campaign reaches earliest known GachiLoader video
Campaign Scope UpdateA YouTube Ghost Network campaign using compromised YouTube accounts distributes GachiLoader through fake software-install lures, with the earliest flagged video dating back to December 22, 2024 and later activity reaching roughly 100 videos and about 220.000 views.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
-
19.12.2025 17:34 2 articles · 6mo ago
Check Point discloses GachiLoader and Kidkadi VEH-based PE injection
Technical Analysis UpdateCheck Point discloses GachiLoader, a heavily obfuscated JavaScript malware loader written in Node.js, and describes a variant that deploys Kidkadi and another loader named "kidkadi.node" to load a main payload by abusing Vectored Exception Handling to replace a legitimate DLL on-the-fly with malicious code; the reporting also ties GachiLoader to Rhadamanthys delivery and Defender evasion.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34