{
	"id": "046058b9-e039-444d-a695-c435d872a03a",
	"created_at": "2026-04-06T00:06:52.869393Z",
	"updated_at": "2026-04-10T03:20:36.801489Z",
	"deleted_at": null,
	"sha1_hash": "1046fe94073508d061f9ae3fa4f922e1d4b87e8e",
	"title": "GuLoader: Malspam Campaign Installing NetWire RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1657232,
	"plain_text": "GuLoader: Malspam Campaign Installing NetWire RAT\r\nBy Brad Duncan\r\nPublished: 2020-04-03 · Archived: 2026-04-05 17:50:04 UTC\r\nExecutive Summary\r\nNetWire is a publicly-available RAT that has been used by criminal organizations and other malicious groups\r\nsince 2012. NetWire is distributed through various campaigns, and we usually see it sent through malicious spam\r\n(malspam). GuLoader is a file downloader that was first discovered in December 2019, and it has been used to\r\ndistribute a wide variety of remote administration tool (RAT) malware.\r\nThis blog reviews a recent distribution chain in March 2020 using Microsoft Word documents to distribute\r\nNetWire through GuLoader. We review the infection chain of events, examine the associated network traffic, and\r\ncover post-infection artifacts from an infected Windows host. This material is primarily helpful to Security\r\nOperations Center (SOC) personnel like front-line analysts and people who perform forensic investigations.\r\nThis blog covers the following areas:\r\nChain of events\r\nEmail lures\r\nMalicious Word documents\r\nThe initial binary\r\nInfection traffic\r\nForensics on an infected Windows host\r\nChain of Events\r\nThis chain of events kicks off with an email. The email contains a web link for a Microsoft Word document. The\r\nWord document has macro code that retrieves a Windows executable for GuLoader. The executable retrieves an\r\nencrypted data file used for NetWire. Then we see command and control (C2) traffic for NetWire RAT activity.\r\nSee Figure 1 for a flow chart of this infection chain.\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 1 of 11\n\nFigure 1. Chain of events for this NetWire RAT infection.\r\nEmail Lures\r\nMalspam distributing NetWire typically uses attachments or links for the malware. Figure 2 shows one such\r\nexample from August 2019 with both an attachment and a link for the same Word document to kick off a NetWire\r\nRAT infection.\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 2 of 11\n\nFigure 2. Malspam from August 2019 with both a link and an attachment for a Word document to\r\nkick off a NetWire RAT infection.\r\nGuLoader is now widely used for RAT distribution in 2020 and we continue to see the same type of email lures\r\nfor malspam pushing NetWIre RAT.\r\nMalicious Word Documents\r\nFor an infection chain from March 2020, we clicked on an email link discovered through AutoFocus to retrieve a\r\nmalicious Word document as shown in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 3 of 11\n\nFigure 3. Downloading a malicious Word document from the link in the malspam\r\nOur research led us to two links that generated similar infection chains:\r\nhxxp://www.artizaa[.]com/Andys_18US_Tax.doc\r\nhxxp://murthydigitals[.]com/PM_2019_Screen_18_Tax_File.doc\r\nBoth links returned Word documents for the same type of NetWire RAT activity. Each document used a different\r\ntemplate. Compare Figure 4 with Figure 5 to see the difference in each document.\r\nFigure 4. Document from one of the links to start NetWire RAT infection\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 4 of 11\n\nFigure 5. Document from another one of the links to start a NetWire RAT infection\r\nThe Initial Binary\r\nEnabling macros for each of these Word documents generated an infection on a vulnerable Windows host. Each\r\nvulnerable host retrieved an initial binary for GuLoader and ran it from the infected users’ AppData\\Local\\Temp\r\ndirectory. Figure 7 and Figure 8 show examples from each Word document.\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 5 of 11\n\nFigure 7. Binary for GuLoader after enabling macros on Andys_18US_Tax.doc\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 6 of 11\n\nFigure 8. Binary for GuLoader after enabling macros on PM_2019_Screen_18_Tax_File.doc\r\nInfection Traffic\r\nPcaps of the infection traffic revealed the following:\r\nHTTP request that returned a malicious Word document\r\nHTTP request that returned a malicious Windows executable file (GuLoader)\r\nHTTP request that returned an encoded binary\r\nTCP traffic for NetWire RAT\r\nSee Figure 9 and Figure 10 for images of the traffic filtered in Wireshark.\r\nFigure 9. NetWire RAT infection traffic associated with PM_2019_Screen_18_Tax_File.doc and\r\nGuLoader filtered in Wireshark\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 7 of 11\n\nFigure 10. NetWire RAT infection traffic associated with Andys_18US_Tax.doc and GuLoader\r\nfiltered in Wireshark\r\nThis March 2020 infection traffic follows the same concept for GuLoader to RAT activity discussed in a previous\r\nanalysis of GuLoader.\r\nForensics on an Infected Windows Host\r\nA copy of the initial EXE for GuLoader is made persistent, then the original is deleted from the infected user’s\r\nAppData\\Local\\Temp directory where it was originally saved. The GuLoader EXE is persistent through the\r\nWindows Registry under the following key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nTwo examples of this Registry update are shown in Figure 11 and Figure 12.\r\nFigure 11. First example of GuLoader persistent through the Windows Registry.\r\nFigure 12. Second example of GuLoader persistent through the Windows Registry\r\nBecause this is ultimately a NetWire RAT infection, we can also find a registry update at\r\nHKCU\\Software\\NetWire like the example shown in Figure 13.\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 8 of 11\n\nFigure 13. Windows Registry update for NetWire\r\nWe can also find artifacts associated with a NetWire infection as shown in Figure 14 and Figure 15.\r\nFigure 14. First example of file indicating data exfiltrated by NetWire RAT on 2020-03-25\r\nFigure 15. Second example of file indicating data exfiltrated by NetWire RAT on March 25, 2020\r\nConclusion\r\nThese types of infections are not very effective against Windows 10 hosts using default security settings. Versions\r\nof Microsoft Office since 2013 have Protected View enabled by default that prevents users from enabling macros\r\nin Word documents downloaded from the Internet. Furthermore, Real-time protection and Tamper protection\r\nsettings in Windows Defender were remarkably effective in preventing these infections within a Windows 10 test\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 9 of 11\n\nenvironment. Finally, within 24 hours of discovery, URLs serving the malware associated with these infections\r\nhad been taken off-line.\r\nHowever, criminal distribution of RATs and other types of commodity malware are often a cat-and-mouse game\r\nagainst security vendors. After one wave of malware is distributed, the binaries are updated, and another wave is\r\nquickly released into the wild. These efforts rely on wide-scale distribution from the criminals and poor security\r\npractices among potential victims. Only a small percentage infection attempts need to be successful for these\r\nefforts to be cost-effective.\r\nPalo Alto Networks customers are further protected through our threat prevention platform which is designed to\r\ndetect and block such threats, and AutoFocus shows these binaries as malicious. As long as this type of malware\r\ndistribution remains cost-effective, criminals will continue to pursue such methods of attack.\r\nIndicators of Compromise\r\nInfection traffic - first run on 2020-03-25\r\n116.202.210[.]82 port 80 - murthydigitals[.]com - GET /PM_2019_Screen_18_Tax_File.doc\r\n213.219.212[.]206 port 80 - ptgteft[.]com - GET /Exten/TY1920/TY30.exe\r\n213.219.212[.]206 port 80 - matpincscr[.]com - GET /tec_encrypted_340BD0.bin\r\n185.163.47[.]213 port 2121 - www.Novmintservices[.]com - NetWire RAT post-infection TCP\r\ntraffic\r\nInfection traffic - second run on 2020-03-25\r\n104.27.138[.]31 port 80 - www.artizaa[.]com - GET /Andys_18US_Tax.doc\r\n213.219.212[.]206 port 80 - saidialxo[.]com - GET /lp.exe\r\n185.196.8[.]122 port 80 - www.rossogato[.]com - GET /ROSSO_encrypted_54E9BA0.bin\r\n185.163.47[.]168 port 2020 - www.myamystills[.]com - NetWire RAT post-infection TCP traffic\r\nMalware - first run\r\ncc554633c0b734778211a6289e1d6d383d734a3e1a8edeb13d6d0fafc8a2f162\r\nSize: 117,204 bytes\r\nLocation: hxxp://murthydigitals[.]com/PM_2019_Screen_18_Tax_File.doc\r\nDescription: Word doc with malicious macro\r\n4d373131b0d3254d72f1a06ea168267376b8cc8f805daa53963db5f051631967\r\nSize: 65,536 bytes\r\nLocation: hxxp://ptgteft[.]com/Exten/TY1920/TY30.exe\r\nDescription: GuLoader retrieved after enabling macros\r\naadc6031fed895de570214afb8b6cdc66f17d01f1df0407f4d57f1d04313ae2b\r\nSize: 130,624 bytes\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 10 of 11\n\nLocation: hxxp://matpincscr[.]com/tec_encrypted_340BD0.bin\r\nDescription: Encrypted binary retrieved by GuLoader for NetWire RAT\r\nMalware - second run\r\nc87e798118a539a136baa0bb9d2539a6e074b0ee640cf0a4ed1ef17936f69ebf\r\nSize: 150,534 bytes\r\nLocation: hxxp://www.artizaa[.]com/Andys_18US_Tax.doc\r\nDescription: Word doc with malicious macro\r\ne895c525a99922beedf02ca7742c49f320448522185bec8f7d2a49d6cee9f24\r\nSize: 69,632 bytes\r\nLocation: hxxp://saidialxo[.]com/lp.exe\r\nDescription: GuLoader retrieved after enabling macros\r\n661d9c0c23e9c17412eee8d72cc1bb66c1b4e5f73908c8cce48f89420f38b205\r\nSize: 130,624 bytes\r\nLocation: hxxp://www.rossogato[.]com/ROSSO_encrypted_54E9BA0.bin\r\nDescription: Encrypted binary retrieved by GuLoader for NetWire RAT\r\nSource: https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/"
	],
	"report_names": [
		"guloader-installing-netwire-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434012,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1046fe94073508d061f9ae3fa4f922e1d4b87e8e.pdf",
		"text": "https://archive.orkl.eu/1046fe94073508d061f9ae3fa4f922e1d4b87e8e.txt",
		"img": "https://archive.orkl.eu/1046fe94073508d061f9ae3fa4f922e1d4b87e8e.jpg"
	}
}