Skip to content Dark Web Informer - Cyber Threat Intelligence

Alleged Sale of KyloRen Malware Loader for Stealthy C2 Operations

📢 Unlock Exclusive Cyber Threat Intelligence

Powered by DarkWebInformer.com

Get foundational access to breach intelligence — track breaches, leaks, and threats in real-time with unfiltered screenshots and expert summaries.

📚
4,000+ Blog Posts: Continuously updated with breach reports and threat summaries.
📢
26,000+ Alerts: Access detailed breach, leak, and DDoS alerts updated daily.
📤
Unredacted Threat Feed: Track breaches and leaks in real-time with JSON export support.
🔍
Leak & Breach Coverage: Get direct access to breach posts and claims.
📡
Snippets & Quick Facts: Receive concise summaries of DDoS, defacements, and breaches.
🌐
Access 500+ Onion and Clearnet Resources: Gain verified access to a growing index of dark web sites and services.
📊
Real-Time Uptime Dashboard: Monitor live status of 500+ dark web and clearnet sites.
🤖
WhiteIntel.io API Access: Access an integrated API, in breach blog posts.
🖼️
High-Resolution Images: View uncompressed, watermark-free breach evidence.
🔑
Keyword Notifications: Receive browser alerts when monitored keywords are triggered.
👥
Telegram Channels: Stay in the know with access to different Telegram channels.
📨
PGP Contact Details: Access verified PGPs for ransomware and threat groups.

A threat actor using the alias “$$$” has announced the upcoming release of KyloRen, a new C2/Loader designed for stealthy and long-term access within compromised environments. The malware is being advertised on an open web forum and is aimed at users seeking persistent, evasive access for post-exploitation operations.


🧾 Key Details

FieldInformation
Threat Actor$$$
Malware NameKyloRen
CategoryMalware
SeverityLow
NetworkOpen Web
TargetUnknown (general-purpose post-exploitation)
Claim URLFor Paid Subscribers

💡 Overview

The malware, referred to as KyloRen, is marketed as a stealthy command-and-control loader built for professionals needing covert, long-term persistence in target environments. According to the post, KyloRen includes advanced evasion features to bypass modern EDRs, minimal file footprint, and flexible deployment mechanisms.


🔧 Core Features

  • BOF (Beacon Object File) execution with full Beacon API compatibility
  • RunPE (PE injection in memory)
  • Screenshot capture, file browser, LSASS dumping
  • Shell command execution
  • Sleep obfuscation, automatic persistence, working hours scheduling
  • Download/upload support, kill date
  • .NET assembly execution in memory
  • Built-in BOF modules (with user module support)
  • Jitter & sleep variance for beaconing behavior

🕵️ Advanced Evasion Techniques

  • PEB walking for API resolution (no IAT dependency)
  • String hashing & dynamic API resolution at runtime
  • Custom heap management & zero CRT dependencies
  • Indirect API calls using function pointers
  • Stack-based string allocation
  • Chunking support for large responses
  • Designed to bypass modern EDRs

🛠️ Technical Design

  • Estimated ~50KB binary footprint
  • In-memory BOF execution without spawning new processes

🚧 Planned Add-ons

The actor lists several features marked as “opsec-unsafe” (likely due to detection risk):

  • Password stealer
  • Clipper
  • Keylogger
  • Script interpreter support
  • Kernel interaction
  • Community-requested modules (via PM)

💬 Threat Actor Notes

The actor emphasizes KyloRen’s modern modular architecture and defense evasion, promoting it for users who want to “avoid executing commands that might raise detection.” The tool is planned to be publicly available with first-month free trials for verified affiliates.

🧠 Pricing is still to be announced.

📸 Screenshots

High-res and unredacted versions (when available) are for subscribers.


🔐 Access More Threat Intelligence

💼 For direct access to full threat actor listings, claim URLs, unredacted screenshots and a lot more:
👉 Join the Private Threat Feed

Latest