GachiLoader Malware
Security researchers have uncovered a newly identified JavaScript-based malware loader known as GachiLoader, developed using Node.js and protected by heavy obfuscation. This malware is actively propagated through the so-called YouTube Ghost Network, a collection of hijacked YouTube accounts repurposed to distribute malicious content to unsuspecting users.
Table of Contents
Abuse of YouTube for Malware Distribution
The campaign leverages compromised creator accounts to upload weaponized videos that redirect viewers to malware-laced downloads. Roughly 100 videos tied to this operation have been identified, collectively drawing around 220,000 views. These uploads originated from 39 breached accounts, with the earliest activity traced back to December 22, 2024. While Google has since removed most of the content, the reach achieved before takedown underscores the effectiveness of the distribution method.
Advanced Payload Delivery via Kidkadi
One observed variant of GachiLoader deploys a secondary malware component named Kidkadi, which introduces an unconventional Portable Executable (PE) injection approach. Instead of directly loading a malicious binary, the technique initially loads a legitimate DLL and then exploits Vectored Exception Handling (VEH) to dynamically replace it with a malicious payload during runtime. This on-the-fly substitution allows the malware to blend in with legitimate processes.
Multi-Payload Capability and Stealth Operations
Beyond Kidkadi, GachiLoader has also been documented delivering the Rhadamanthys information stealer, demonstrating its flexibility as a malware delivery platform. Like other modern loaders, it is designed to fetch and deploy additional payloads while simultaneously performing extensive anti-analysis and evasion checks to hinder detection and forensic investigation.
Privilege Escalation Through Social Engineering
The loader checks whether it is executing with administrative privileges by running the net session command. If this test fails, it attempts to relaunch itself with elevated rights, prompting a User Account Control (UAC) dialog. Because the malware is commonly embedded in fake installers posing as popular software, similar to techniques previously seen with CountLoader, victims are likely to approve the request, unknowingly granting elevated access.
Neutralizing Microsoft Defender
In its final execution stage, GachiLoader actively attempts to weaken built-in security defenses. It targets and terminates SecHealthUI.exe, a process linked to Microsoft Defender, and then configures exclusion rules to prevent scanning of specific directories such as user folders, ProgramData, and Windows system paths. This ensures that any staged or downloaded payloads remain undetected.
Final Payload Execution Path
Once defenses are suppressed, GachiLoader either retrieves the final malware directly from a remote server or invokes an auxiliary loader called kidkadi.node. This component again abuses Vectored Exception Handling to load the primary malicious payload, maintaining consistency with the loader’s stealth-focused design.
Implications for Defenders and Researchers
The actor behind GachiLoader demonstrates a deep understanding of Windows internals and has successfully evolved a known injection technique into a more evasive variant. This development reinforces the importance for defenders and malware analysts to continuously track advancements in PE injection methods and loader-based architectures, as threat actors persistently refine their tactics to bypass modern security controls.
