{
	"id": "4ceb3016-3129-47e4-939c-f8fc35accf1a",
	"created_at": "2026-04-06T00:11:26.741785Z",
	"updated_at": "2026-04-10T13:12:44.83936Z",
	"deleted_at": null,
	"sha1_hash": "016f7b628b776c718f1b2e29b28c12835215a588",
	"title": "GuLoader returns with a rotten shipment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 231721,
	"plain_text": "GuLoader returns with a rotten shipment\r\nBy Christopher Boyd\r\nPublished: 2023-04-24 · Archived: 2026-04-05 20:03:18 UTC\r\nGuLoader, a perennial favourite of email-based malware campaigns since 2019, has been seen in the wild once\r\nagain. GuLoader is a downloader with a chequered history, dating back to somewhere around 2011 in various\r\nforms. Two years ago it was one of our most seen malspam attachments.\r\nMost popular attachments by tags in Malwarebytes email telemetry\r\nWe also saw it during the pandemic, masquerading as a health e-book sent from the World Health Organisation.\r\nGuLoader is typically used to load in the payload for the campaign in question. It often arrives in a ZIP file, and\r\nonce opened and the file inside is executed the malicious activity begins. It may attempt to download data stealers,\r\ntrojans, generic forms of malware…whatever is required. On top of this, GuLoader is designed to evade network\r\ndetection and sneak past sandbox technology. For example, it may recognise being loaded up inside a virtual\r\ntesting machine and refuse to load.\r\nIn this case, we have a bogus shipping notification written in Italian.\r\nhttps://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment\r\nPage 1 of 4\n\nThis is somewhat humorous given GuLoader’s Italian origins. The mail, titled “Shipment Notification”, reads as\r\nfollows:\r\nDear Customer,\r\nWe are pleased to inform you that the shipment to you by Mastrotto Express has begun. For shipping\r\ndetails, please see the attached file. For convenience, we summarise the details of the shipment:\r\nShipping number:\r\nDelivery note number:\r\nNumber of packages:\r\nWeight:\r\nVolume:\r\nWe inform you that the email was automatically generated by a server, please do not reply, thanks for\r\nyour cooperation.\r\nIn this example, GuLoader is not hidden inside a Zip file. Instead, the attachment is an .ISO file. An .ISO is\r\ndesigned to be a copy of a DVD, a CD, and other related forms of media. If you ever spent some time backing up\r\nyour CD collection to a computer, you probably have a lot of these in a folder somewhere.\r\nThe file (or image, as they’re also sometimes called) would then be mounted as a virtual drive to gain access to\r\nthe content. You could also just use a program like WinZip to open the files. However you do it, in this case the\r\nonly thing waiting inside is GuLoader taking the form of a fake .JPG file. Note the .EXE (executable) extension in\r\nhttps://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment\r\nPage 2 of 4\n\nthe below screenshot. Pretending that an executable is an image by giving it a double extension is an incredibly\r\nold trick. On the other hand, it works!\r\nHow to avoid fake parcel scams\r\nCheck your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to\r\nsee if you recognise parcel details, and also the delivery network. \r\nAvoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with\r\nsuspicion.\r\nWatch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A\r\nmissing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? All\r\nare designed to hurry you into making a decision.\r\nIf in doubt, make contact with the company directly via official channels.\r\nThanks to Jerome for sending over.\r\nMalwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more\r\nabout how we can help protect your business? Get a free trial below.\r\nTRY NOW\r\nAbout the author\r\nhttps://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment\r\nPage 3 of 4\n\nFormer Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make\r\nhim a nightmare for threats like you.\r\nSource: https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment\r\nhttps://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment"
	],
	"report_names": [
		"guloader-returns-with-a-rotten-shipment"
	],
	"threat_actors": [],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/016f7b628b776c718f1b2e29b28c12835215a588.pdf",
		"text": "https://archive.orkl.eu/016f7b628b776c718f1b2e29b28c12835215a588.txt",
		"img": "https://archive.orkl.eu/016f7b628b776c718f1b2e29b28c12835215a588.jpg"
	}
}