Find notable cyber news and cases, enriched with sources, timelines, and signals.

GachiLoader kidkadi.node adds VEH-based PE injection for in-memory payload swapping

Technical Analysis
First reported
Last updated
Happening score
H score 6
1 unique sources, 1 articles

Summary

Hide ▲

A new GachiLoader variant uses kidkadi.node to perform PE injection through Vectored Exception Handling, creating an in-memory swapping technique that raises detection and reverse-engineering difficulty. The loader first maps a legitimate DLL, then replaces it on-the-fly with a malicious payload, which helps it evade static scrutiny and execute covertly. That technique is a notable evolution in Windows malware tradecraft because it blends legitimate loading behavior with malicious code execution. It also gives defenders a concrete clue for hunting suspicious DLL loading and exception-driven payload replacement.

Related Happenings

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

SharkLoader loader activity deploying Cobalt Strike Beacon

Malware Activity
H score30 First: 26.06.2026 21:17 Last: 26.06.2026 21:17 Sources 1

About this happening: A newly observed **SharkLoader** malware operation is staging **Cobalt Strike Beacon** on compromised Windows hosts, expanding post-compromise control and persistence risk. The lo...

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

REF8372 malicious Google Ads CastleStealer delivery campaign

Campaign
H score27 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...

Potemkin loader delivering EtherRAT and RMMProject in memory

Malware Activity
H score29 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

About this happening: The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...

Timeline

  1. 19.12.2025 17:34 1 articles · 6mo ago

    YouTube Ghost Network campaign reaches earliest known GachiLoader video

    Campaign Scope Update

    A YouTube Ghost Network campaign using compromised YouTube accounts distributes GachiLoader through fake software-install lures, with the earliest flagged video dating back to December 22, 2024 and later activity reaching roughly 100 videos and about 220.000 views.

    Show sources
  2. 19.12.2025 17:34 2 articles · 6mo ago

    Check Point discloses GachiLoader and Kidkadi VEH-based PE injection

    Technical Analysis Update

    Check Point discloses GachiLoader, a heavily obfuscated JavaScript malware loader written in Node.js, and describes a variant that deploys Kidkadi and another loader named "kidkadi.node" to load a main payload by abusing Vectored Exception Handling to replace a legitimate DLL on-the-fly with malicious code; the reporting also ties GachiLoader to Rhadamanthys delivery and Defender evasion.

    Show sources