RST TI Report Digest: 22 Dec 2025

**GachiLoader** is a sophisticated Node.js malware used in a campaign leveraging compromised YouTube accounts; it employs strong obfuscation and anti-analysis measures and has two main variants — one that fetches secondary payloads from a C2 using system profiling and another that includes the Kidkadi payload which executes directly. Kidkadi uses an innovative PE-injection method altering legitimate DLLs to stealthily run malicious code; Check Point Research developed an open-source Node.js tracer to bypass anti-analysis and document the loader's actions, and the report includes numerous IoCs (IPs, domains, URLs, and many SHA-256 hashes).