{
	"id": "ce24750d-5d9d-4b9b-aa11-ec51282aad29",
	"created_at": "2026-04-06T00:12:02.801438Z",
	"updated_at": "2026-04-10T13:11:20.673297Z",
	"deleted_at": null,
	"sha1_hash": "0047206d28bab4fab3dcd95d8943b04b1db29cf3",
	"title": "GuLoader: New VB6 Downloader Abuses Cloud Services | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 964383,
	"plain_text": "GuLoader: New VB6 Downloader Abuses Cloud Services |\r\nProofpoint US\r\nBy March 05, 2020 Proofpoint Threat Research Team\r\nPublished: 2020-03-05 · Archived: 2026-04-05 12:43:52 UTC\r\nProofpoint researchers have observed a new downloader in the wild that we and other researchers are calling\r\n“GuLoader.” Our researchers first observed GuLoader in late December 2019 being used to deliver Parallax RAT,\r\nwhich itself had recently been released. While we regularly observe new loaders, GuLoader has gained popularity\r\nquickly and is in active use by multiple threat actors. GuLoader is a downloader, written partly in VB6, which\r\ntypically stores its encrypted payloads on Google Drive or Microsoft OneDrive (underscoring that threat actors\r\ncontinue to adopt the cloud just like legitimate businesses are).\r\nGuLoader is a portable executable (PE) file that is often observed embedded in a container file such as an .iso or\r\n.rar file. We have also observed it being downloaded directly from various cloud hosting platforms. GuLoader is\r\nused predominantly to download remote access Trojans (RATs) and information stealers such as Agent\r\nTesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and\r\nParallax RAT.\r\nAnalysis\r\nThe GuLoader executable is a Visual Basic 6 wrapper which decrypts (XORing with a DWORD, 4-byte key)\r\nsome shellcode containing the main functionality.\r\nThe loader uses sophisticated injection techniques to make analysis difficult. For example, it\r\n1. spawns a child process copy of itself (in suspended state)\r\n2. maps the image of a system DLL (typically \"msvbvm60.dll\" or \"mstsc.exe\") over the child at 0x400000\r\n(instead of a normal high load address)\r\n3. injects the unpacking code into the child\r\n4. modifies a register within the context of the suspended child thread to redirect execution into the injected\r\ncode\r\nhttps://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services\r\nPage 1 of 4\n\n5. resumes the child\r\n6. the child overwrites the system DLL image at 0x400000 with the unpacked code\r\nThe downloaded files consist of 64 hex digits followed by a PE executable encoded with XOR, where the XOR\r\nkey is stored in the shellcode.\r\nPayload Encoding\r\nThe payload URI paths (other than Google Drive or OneDrive ones) and downloaded filename frequently have the\r\nform \"\u003csomething\u003e_encrypted_XXXXXX.bin\" where \"XXXXXXX\" are hexadecimal digits.\r\nThe downloaded payloads consist of\r\n* 64 lower-case hex digits\r\n* the XORed PE binary\r\nhttps://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services\r\nPage 2 of 4\n\nThe XOR key was fixed at 96 bytes in early versions of the loader\r\nLater versions have longer keys, typically 512-768 bytes long, usually consisting of a 256-byte key repeated to\r\ngive the required length. The key is stored completely in the decoded shellcode.\r\nIOCs\r\nParallax Sample - 2019-12-23\r\nSHA256: e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e\r\nURLs: hxxps://drive.google[.]com/uc?export=download\u0026id=1dtlMCyozUPBepc-AtEdirGENZBpWesAi\r\nC2: 185.140.53[.]134:7776\r\nRemcos Sample - 2020-02-20\r\nSHA256: 26f7bfe041a3d8a2b620d0ed2af4e2ef54b004202ec479362939b9154b1c8758\r\nURLS: hxxps://drive.google[.]com/uc?export=download\u0026id=1N8gVOM5p8Ubm1HwolChxHidT7YoN29EE\r\nC2: droptop1[.]com:2500\r\nC2: droptop2[.]com:2500\r\nC2: droptop3[.]com:2500\r\nC2: droptop4[.]com:2500\r\nC2: droptop5[.]com:2500\r\nC2: droptop6[.]com:2500\r\nC2: droptop7[.]com:2500\r\nC2: droptop8[.]com:2500\r\nhttps://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services\r\nPage 3 of 4\n\nC2: droptop9[.]com:2500\r\nC2: droptop10[.]com:2500\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services\r\nhttps://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services"
	],
	"report_names": [
		"guloader-popular-new-vb6-downloader-abuses-cloud-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0047206d28bab4fab3dcd95d8943b04b1db29cf3.pdf",
		"text": "https://archive.orkl.eu/0047206d28bab4fab3dcd95d8943b04b1db29cf3.txt",
		"img": "https://archive.orkl.eu/0047206d28bab4fab3dcd95d8943b04b1db29cf3.jpg"
	}
}