{
	"id": "1385560d-cab6-48fa-9b74-f5f5a6f7c4a0",
	"created_at": "2026-05-05T02:45:42.660281Z",
	"updated_at": "2026-05-05T02:46:36.820209Z",
	"deleted_at": null,
	"sha1_hash": "70586932f24d03b600458575509e5f4952896a73",
	"title": "GuLoader? No, CloudEyE.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80186,
	"plain_text": "GuLoader? No, CloudEyE.\r\nBy alexeybu\r\nPublished: 2020-06-08 · Archived: 2026-05-05 02:26:42 UTC\r\nItalian company exposed on Clearnet earned up to $ 500,000 helping cybercriminals to deliver malware\r\nusing cloud drives.\r\nRecently, we wrote about the network dropper known as GuLoader, which has been very actively distributed in\r\n2020 and is used to deliver malware with the help of cloud services such as Google Drive. The delivery of\r\nmalware through cloud drives is one of the fastest growing trends of 2020.\r\nWe see hundreds of attacks involving GuLoader every day; up to 25% of all packed samples are GuLoaders. The\r\ndropper delivers a huge number of malware types, including different malicious campaigns apparently related to\r\nmany different threat actors.\r\nPercentage of GuLoader samples and malware distributed by GuLoader\r\nFigure 1 – Percentage of GuLoader samples and malware distributed by GuLoader.\r\nThe dropper is constantly updated: we see new versions with sandbox evasion techniques, code randomization\r\nfeatures, C\u0026C URL encryption, and additional payload encryption. As a result, we can reasonably assume that\r\nbehind GuLoader there is a major new service aiming to replace traditional packers and crypters.\r\nWe did indeed manage to find this service, which is created and maintained by an Italian company that pretends to\r\nbe completely legitimate and aboveboard, and even has a website in Clearnet that uses the .eu domain zone. But\r\nfirst things first.\r\nDarkEyE\r\nWhile monitoring GuLoader, we repeatedly encountered samples that were detected as GuLoader, but they did not\r\ncontain URLs for downloading the payload. During manual analysis of such samples, we found that the payload is\r\nembedded in the sample itself. Those samples appear to be related to DarkEyE Protector:\r\nDarkEyE sample\r\nFigure 2 – DarkEyE sample.\r\nThe DarkEyE samples have a lot in common with the GuLoader samples. They both are written in VisualBasic,\r\ncontain a shellcode encrypted with 4-bytes XOR key, and have the same payload decryption procedure:\r\nComparison of GuLoader and DarkEyE samples\r\nFigure 3 – Comparison of GuLoader and DarkEyE samples.\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 1 of 10\n\nWe searched for “DarkEyE Protector” on the web and easily found a very old thread from 2014 in which it was\r\nadvertised by a user known as “xor”:\r\nDarkEyE advertisement on a hacker forum\r\nFigure 4 – DarkEyE advertisement on a hacker forum.\r\nWe also found some earlier ads for DarkEyE on the same website, these posted by the user “sonykuccio.” The ads\r\ndescribe DarkEyE as a crypter that can be used with different malware such as stealers, keyloggers, and RATs\r\n(remote access Trojans), and makes them fully undetectable for antiviruses (FUD). This left us with no doubt that\r\nthis software was developed to protect malware from discovery by anti-viruses, as the authors didn’t forget to\r\nemphasize that they “don’t take any responsibility for the use” of DarkEyE:\r\nDarkEyE advertisement on a hacker forum\r\nFigure 5 – DarkEyE advertisement on a hacker forum.\r\nThe user “sonykuccio” also posted contact emails for anyone interested in buying DarkEyE (remember this for\r\nlater):\r\nContact emails mentioned in DarkEyE ads\r\nFigure 6 – Contact emails mentioned in DarkEyE ads.\r\nFinally, we found the website securitycode.eu, whose URL is mentioned in one of the ads above.\r\nDarkEyE evolved into CloudEyE\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 2 of 10\n\nIndeed, the website securitycode.eu is connected to DarkEyE. However, currently this website focuses on another\r\nproduct – CloudEyE:\r\nsecuriticode.eu website\r\nFigure 7 – securiticode.eu website.\r\nThe company selling CloudEyE pretends to be legitimate. As said on their website, CloudEyE is security software\r\nintended for “Protecting windows applications from cracking, tampering, debugging, disassembling, dumping.”\r\nBut let’s look at the rest of the securitycode.eu website. It contains several YouTube video tutorials on how to use\r\nCloudEyE, and, as it turned out, how to abuse Google Drive and OneDrive:\r\n“Protecting an application using google drive.” (https://youtu.be/TOdfOBmeAx8)\r\n“Protecting using an already exsisting project, with a saved profile.” (https://youtu.be/8siii5x0Q3k)\r\n“Protecting file using VPS/Cloud or any dedicated server.” (https://youtu.be/4JLEXGevpfg)\r\n“Protecting file using backup domains.” (https://youtu.be/4JJWL4-OCDM)\r\n“CloudEyE avoiding debugging of application.” (https://youtu.be/v1CS_Q7LZpg)\r\n“Protecting ’putty’ application using OneDrive.” (https://youtu.be/Y2ZNLVC6yfk)\r\n“CloudEyE memory protection in action!” (https://youtu.be/76IVgS88WTg)\r\nYouTube videos published on the securitycode.eu\r\nwebsite\r\nFigure 8 – YouTube videos published on the securitycode.eu website.\r\nWatching one of the videos on this website (https://youtu.be/TOdfOBmeAx8?t=74), we noticed the same URL\r\npatterns as we have seen earlier in GuLoader:\r\nThe same URL pattern in the CloudEyE YouTube\r\nvideo and GuLoader samples\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 3 of 10\n\nFigure 9 – The same URL pattern in the CloudEyE YouTube video and GuLoader samples.\r\nThis is a placeholder for a URL that is used in some of GuLoader samples for downloading joined files (decoy\r\nimages in our previous research). Way too much coincidence for us to find it here!\r\nWe decided to obtain CloudEyE to see for ourselves if it is related to GuLoader.\r\nCloudEyE\r\nTo test CloueEyE Protector, we decided to encrypt the calc.exe application:\r\nCloudEyE builder: choosing a file to protect\r\nFigure 10 – CloudEyE builder: choosing a file to protect.\r\nThe XOR encryption key (password) is generated automatically and can’t be entered manually.\r\nAfter clicking “Next”, we got the encrypted file. Then we placed it on a local HTTP server and put the URL in the\r\nnext window:\r\nCloudEyE builder: choosing a URL where the\r\nprotected file will be downloaded from\r\nFigure 11 – CloudEyE builder: choosing a URL where the protected file will be downloaded from.\r\nAfter clicking “Next”, we see the window with the known URL template http://myurl/myfile.bin :\r\nCloudEyE builder: protection options\r\nFigure 12 – CloudEyE builder: protection options.\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 4 of 10\n\nWe assumed that most customers don’t use additional options, so we decided to leave everything else as the\r\ndefault value.\r\nCloudEyE also allows you to set up autorun, select an icon, change the file size and choose the extension:\r\nCloudEyE builder: additional options\r\nFigure 13 – CloudEyE builder: additional options.\r\nFinally, we got the build.\r\nAt the next step, we submitted the build to our sandbox and, unsurprisingly, we got the expected verdict:\r\nEmulation results of the CloudEyE-produced\r\nsample\r\nEmulation results of the CloudEyE-produced\r\nsample\r\nFigure 14 – Emulation results of the CloudEyE-produced sample.\r\nHowever, to be completely sure that CloudEyE produces samples that are universally acknowledged as GuLoader\r\nmalware, we decided to analyze it manually and compare with a real GuLoader sample that we saw in the wild.\r\nGuLoader was slightly upgraded a few weeks ago. Therefore, we chose one of the recent samples which\r\ndownloads the Formbook malware:\r\nGuLoader\r\nMD5:\r\n3d1fd9bcef7cbe915bb49857461ad781\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 5 of 10\n\nPayload URL:\r\nhxxps://drive.google.com/uc?\r\nexport=download\u0026id=1cs40Db_dgZugASem90KebWJ2mVl6LmjR\r\nEncrypted\r\nPayload MD5:\r\n95f29abac9c887639efc2d4e22b5350f\r\nDecrypted\r\nPayload MD5:\r\n3b72bf861b5d2907bb2d76d3d4d9d816\r\nResearched GuLoader sample details\r\nFigure 15 – Researched GuLoader sample details.\r\nThe CloudEyE-produced sample that we got has the same structure as GuLoader. Just like GuLoader, it is\r\ncompiled with Visual Basic and contains shellcode encrypted with a random 4-bytes XOR key. Therefore, we\r\ndecrypted the shellcode from both samples (CloudEyE and GuLoader).\r\nTo make it harder for automatic analysis and probably also to prevent automatic decryption, the shellcode starts\r\nfrom a random stub and is prepended with a jump over this stub. In both samples, the same space on the stack is\r\nreserved for a structure with global variables.\r\nComparison of CloudEyE and GuLoader samples:\r\nshellcode randomization\r\nFigure 16 – Comparison of CloudEyE and GuLoader samples: shellcode randomization.\r\nVariables in the structure have the same offset. Most of the code chunks differ only due to the applied\r\nrandomization techniques. The useful code is the same in both samples.\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 6 of 10\n\nComparison of CloudEyE and GuLoader samples:\r\nURL decryption\r\nFigure 17 – Comparison of CloudEyE and GuLoader samples: URL decryption.\r\nThe URLs for downloading the payload and the “joined file” (i.e. the decoy image) in the new version of\r\nGuLoader are stored encrypted. GuLoader decrypts the URLs using the same key as used for decrypting the\r\npayload. After extracting the XOR keys, we can easily find and decrypt URLs in both samples.\r\nComparison of CloudEyE and GuLoader\r\nencrypted URLs\r\nFigure 18 – Comparison of CloudEyE and GuLoader encrypted URLs.\r\nWe can therefore conclude that the samples are almost identical and differ only generally due to applied code\r\nrandomization techniques.\r\nIdentities behind CloudEyE\r\nLet’s refer to the contact emails posted by the user “sonykuccio” in the DarkEyE ads:\r\nxsebyx@hotmail.it (Sebyno)\r\nthedoktor2007@hotmail.it (EveryThing)\r\nWe looked for the emails and usernames in publically available leaked email databases and managed to find\r\nseveral entries related to “sonykuccio”:\r\nEmails and usernames found in publically\r\navailable databases\r\nFigure 19 – Emails and usernames found in publically available databases.\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 7 of 10\n\nAlso, we surprisingly found a PDF containing a lot of real names and emails of Italian citizens, including the\r\nemail “xsebyx@hotmail.it” and the corresponding name “Sebastiano Dragna”:\r\nA PDF with emails of Italian citizens\r\nFigure 20 – A PDF with emails of Italian citizens.\r\nLet’s now refer to the Privacy Policy section on the website securitycode.eu. We see the same name! The owners\r\nof this business must sincerely believe in their own innocence if they dare to publish real names on the website:\r\nsecuritycode.eu privacy policy\r\nFigure 21 – securitycode.eu privacy policy.\r\nTherefore, “sonykyccio”, “xsebyx”, “Sebyno”, “decrypter@hotmail.it”, “xsebyx@hotmail.it”,\r\n“sonykuccio@gmail.com” are avatars and emails of the same person: Dragna Sebastiano Fabio.\r\nUnfortunately, we didn’t manage to find any relation between another name published on the website (Ivano\r\nMancini) and names used on popular hacker forums.\r\nIdentities behind CloudEyE\r\nFigure 22 – Identities behind CloudEyE.\r\nSonykuccio is an old and established visitor to hacker forums. We saw that he started selling DarkEyE in the\r\nbeginning of 2011. But even before creating DarkEyE protector, Sonykuccio was already providing services for\r\nprotecting malware against anti-viruses (FUD service) and a spreading service for malware:\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 8 of 10\n\nMalicious services advertised by sonykuccio\r\nFigure 23 – Malicious services advertised by sonykuccio.\r\nCloudEyE and Covid-19\r\nAs we said, we see hundreds of attacks every day in different campaigns. Some of the CloudEyE users have been\r\ncynically using the name “Coronavirus” as a way to deceive and mislead victims, using the fear and desire for\r\ninformation about the pandemic to infect people with malware.\r\nCloudEyE and Coronavirus email subjects\r\nFigure 24 – CloudEyE and Coronavirus email subjects.\r\nRevenue\r\nThe securitycode.eu website claims that their customer base numbers over 5,000. As they sell their basic package\r\nfor $ 100 per month, this allows us to estimate their monthly income at $ 500,000.\r\nCloudEyE pricing\r\nFigure 25 – CloudEyE pricing.\r\nConclusion\r\nCloudEyE operations may look legal, but the service provided by CloudEyE has been a common denominator in\r\nthousands of attacks over the past year. Tutorials published on the CloudEyE website show how to store payloads\r\non cloud drives such as Google Drive and OneDrive. Cloud drives usually perform anti-virus checking and\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 9 of 10\n\ntechnically don’t allow the upload of malware. However, payload encryption implemented in CloudEyE helps to\r\nbypass this limitation. Code randomization, evasion techniques, and payload encryption used in CloudEyE protect\r\nmalware from being detected by many of the existing security products on the market. Surprisingly, such a service\r\nis provided by a legally registered Italian company that operates a publically available website which has existed\r\nfor more than four years.\r\nMany of CloudEyE customers are threat actors with no deep technical knowledge, they are using publically\r\navailable malware or leaked hacking tools for stealing passwords, credentials, private information, and gaining\r\ncontrol of the victim’s environment.\r\nAppendix: Hashes of samples\r\nDescription MD5\r\nResearched GuLoader sample 3d1fd9bcef7cbe915bb49857461ad781\r\nEncrypted GuLoader payload (Formbook) 95f29abac9c887639efc2d4e22b5350f\r\nFormbook sample dropped by GuLoader 3b72bf861b5d2907bb2d76d3d4d9d816\r\nGuLoader Shellcode 0284062f9a7415e413ed319c13dc0988\r\nCloudEyE Shellcode 5c4ed372836487562aa22ab9cd2798d9\r\nCheck Point Threat Emulation provides protection against this threat:\r\nDropper.Win.CloudEyE.A\r\nDropper.Wins.CloudEyE.B\r\nDropper.Win.CloudEyE.I\r\nDropper.Win.CloudEyE.gl.J\r\nDropper.Win.CloudEyE.gl.L\r\nSource: https://research.checkpoint.com/2020/guloader-cloudeye/\r\nhttps://research.checkpoint.com/2020/guloader-cloudeye/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/guloader-cloudeye/"
	],
	"report_names": [
		"guloader-cloudeye"
	],
	"threat_actors": [],
	"ts_created_at": 1777949142,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70586932f24d03b600458575509e5f4952896a73.pdf",
		"text": "https://archive.orkl.eu/70586932f24d03b600458575509e5f4952896a73.txt",
		"img": "https://archive.orkl.eu/70586932f24d03b600458575509e5f4952896a73.jpg"
	}
}