📢 Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Get foundational access to breach intelligence — track breaches, leaks, and threats in real-time with unfiltered screenshots and expert summaries.
A threat actor using the alias “$$$” has announced the upcoming release of KyloRen, a new C2/Loader designed for stealthy and long-term access within compromised environments. The malware is being advertised on an open web forum and is aimed at users seeking persistent, evasive access for post-exploitation operations.
🧾 Key Details
Field | Information |
---|---|
Threat Actor | $$$ |
Malware Name | KyloRen |
Category | Malware |
Severity | Low |
Network | Open Web |
Target | Unknown (general-purpose post-exploitation) |
Claim URL | For Paid Subscribers |
💡 Overview
The malware, referred to as KyloRen, is marketed as a stealthy command-and-control loader built for professionals needing covert, long-term persistence in target environments. According to the post, KyloRen includes advanced evasion features to bypass modern EDRs, minimal file footprint, and flexible deployment mechanisms.
🔧 Core Features
- BOF (Beacon Object File) execution with full Beacon API compatibility
- RunPE (PE injection in memory)
- Screenshot capture, file browser, LSASS dumping
- Shell command execution
- Sleep obfuscation, automatic persistence, working hours scheduling
- Download/upload support, kill date
- .NET assembly execution in memory
- Built-in BOF modules (with user module support)
- Jitter & sleep variance for beaconing behavior
🕵️ Advanced Evasion Techniques
- PEB walking for API resolution (no IAT dependency)
- String hashing & dynamic API resolution at runtime
- Custom heap management & zero CRT dependencies
- Indirect API calls using function pointers
- Stack-based string allocation
- Chunking support for large responses
- Designed to bypass modern EDRs
🛠️ Technical Design
- Estimated ~50KB binary footprint
- In-memory BOF execution without spawning new processes
🚧 Planned Add-ons
The actor lists several features marked as “opsec-unsafe” (likely due to detection risk):
- Password stealer
- Clipper
- Keylogger
- Script interpreter support
- Kernel interaction
- Community-requested modules (via PM)
💬 Threat Actor Notes
The actor emphasizes KyloRen’s modern modular architecture and defense evasion, promoting it for users who want to “avoid executing commands that might raise detection.” The tool is planned to be publicly available with first-month free trials for verified affiliates.
🧠 Pricing is still to be announced.
📸 Screenshots


High-res and unredacted versions (when available) are for subscribers.
🔐 Access More Threat Intelligence
💼 For direct access to full threat actor listings, claim URLs, unredacted screenshots and a lot more:
👉 Join the Private Threat Feed