GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping
Technical Analysis
Summary
Hide ▲
Show ▼
A new GachiLoader variant uses kidkadi.node to perform PE injection through Vectored Exception Handling, creating an in-memory swapping technique that raises detection and reverse-engineering difficulty. The loader first maps a legitimate DLL, then replaces it on-the-fly with a malicious payload, which helps it evade static scrutiny and execute covertly. That technique is a notable evolution in Windows malware tradecraft because it blends legitimate loading behavior with malicious code execution. It also gives defenders a concrete clue for hunting suspicious DLL loading and exception-driven payload replacement.
Related Happenings
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware ActivityAbout this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
VOID#GEIST phishing-delivered multi-stage RAT campaign
Campaign
First: 06.03.2026 16:33
Last: 06.03.2026 16:33
Sources 1
About this happening:
The **VOID#GEIST** campaign is pushing **phishing-delivered** batch scripts through **TryCloudflare** to deliver encrypted **RAT** payloads, creating a fileless intrusion path tha...
VOID#GEIST phishing-delivered multi-stage RAT campaign
CampaignAbout this happening: The **VOID#GEIST** campaign is pushing **phishing-delivered** batch scripts through **TryCloudflare** to deliver encrypted **RAT** payloads, creating a fileless intrusion path tha...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
Timeline
-
19.12.2025 17:34 1 articles · 5mo ago
YouTube Ghost Network campaign reaches earliest known GachiLoader video
Campaign Scope UpdateA YouTube Ghost Network campaign using compromised YouTube accounts distributes GachiLoader through fake software-install lures, with the earliest flagged video dating back to December 22, 2024 and later activity reaching roughly 100 videos and about 220.000 views.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
-
19.12.2025 17:34 2 articles · 5mo ago
Check Point discloses GachiLoader and Kidkadi VEH-based PE injection
Technical Analysis UpdateCheck Point discloses GachiLoader, a heavily obfuscated JavaScript malware loader written in Node.js, and describes a variant that deploys Kidkadi and another loader named "kidkadi.node" to load a main payload by abusing Vectored Exception Handling to replace a legitimate DLL on-the-fly with malicious code; the reporting also ties GachiLoader to Rhadamanthys delivery and Defender evasion.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34