This poc was arrivied from the YouTube Ghost Network. which is an malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers.

This campaign was documented and reversed by Checkpoint Research in that one variant of GachiLoader deploys a second stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection. This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.

This is an PoC of implementing that Kidkadi aka VectoredOverloading in Rust.

It works by manipulating the load of a legitimate DLL using Hardware Breakpoints (HWBP) and Vectored Exception Handling (VEH) to change the DLL section object on-the-fly.

Essentially, the technique does the following

• Creates a SEC_IMAGE mapping from a legitimate DLL (e.g. wmp.dll)
• Maps a payload PE over this image memory
• Sets its entrypoint to 0 and forces the DLL flag in the FileHeader->Characteristics field
• Sets a HWBP on NtOpenSection & loads any legitimate DLL
• When the Windows loader calls NtOpenSection, the VEH emulates the syscall by skipping it and replacing the OUT parameters, so that section object is now that of the payload. The VEH also sets a new HWBP on NtMapViewOfSection
• The loader tries to map the section into memory and then triggers the VEH on NtMapViewOfSection
• The VEH replaces the OUT parameters of the syscall and skips its execution, emulating a mapping of the malicious PE's view
• The loading proceeds and the Windows loader now takes care of handling imports and further processing of the malicious PE image
• The entrypoint is invoked, executing the payload

• https://github.com/CheckPointSW/VectoredOverloading/tree/main
• https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/