{
	"id": "bfa4102b-36d5-4580-8d64-d869e63f7fd3",
	"created_at": "2026-04-06T00:13:51.766222Z",
	"updated_at": "2026-04-10T03:34:01.014546Z",
	"deleted_at": null,
	"sha1_hash": "917ebb7ea75dfe6d61d6cdc6d418853bc697cd2d",
	"title": "CloudEyE (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135044,
	"plain_text": "CloudEyE (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:10:53 UTC\r\nCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such\r\nas Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive.\r\nThe downloaded payload is xored.\r\n2025-11-26 ⋅ Intrinsec ⋅\r\nTrouble in the air: A spree of campaigns targeting the aerospace industry in Russia\r\nDarkWatchman CloudEyE Formbook PhantomCore Remcos 2025-04-03 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors leverage tax season to deploy tax-themed phishing campaigns\r\nBrute Ratel C4 CloudEyE Latrodectus Remcos Storm-0249 2024-04-15 ⋅ Positive Technologies ⋅ Aleksandr Badaev, Kseniya\r\nNaumova\r\nSteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world\r\nLokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm 2024-03-11 ⋅ CyberInt ⋅ Adi Bleih\r\nGuLoader Downloaded: A Look at the Latest Iteration\r\nCloudEyE 2024-02-09 ⋅ YouTube (Embee Research) ⋅ Embee_research\r\nGuloader Decoding With Cyberchef\r\nCloudEyE 2023-12-06 ⋅ Elastic ⋅ Daniel Stepanic\r\nGetting gooey with GULOADER: deobfuscating the downloader\r\nCloudEyE 2023-09-29 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec\r\nOngoing threats targeting the energy industry\r\nAgent Tesla CloudEyE 2023-09-19 ⋅ Checkpoint ⋅ Alexey Bukhteyev, Arie Olshtein\r\nUnveiling the Shadows: The Dark Alliance between GuLoader and Remcos\r\nCloudEyE Remcos 2023-08-10 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team\r\nGuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products)\r\nCloudEyE 2023-07-28 ⋅ YouTube (SANS Cyber Defense) ⋅ Stef Rand\r\nDrop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads\r\nCloudEyE QakBot 2023-07-28 ⋅ Red Canary ⋅ Stef Rand\r\nDrop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads\r\nCloudEyE QakBot 2023-07-23 ⋅ irfan_eternal ⋅ Muhammed Irfan V A\r\nGuloader Deobfuscation using Ghidra\r\nCloudEyE 2023-07-08 ⋅ Gi7w0rm\r\nCloudEyE — From .lnk to Shellcode\r\nCloudEyE Remcos 2023-06-29 ⋅ Morphisec ⋅ Arnold Osipov\r\nGuLoader Campaign Targets Law Firms in the US\r\nCloudEyE 2023-06-29 ⋅ MalwareBookReports ⋅ muzi\r\nGuLoader: Navigating a Maze of Intricacy\r\nCloudEyE 2023-05-22 ⋅ Check Point ⋅ Alexey Bukhteyev, Arie Olshtein\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\r\nPage 1 of 4\n\nCloud-based Malware Delivery: The Evolution of GuLoader\r\nCloudEyE 2023-05-17 ⋅ ANY.RUN ⋅ ANY.RUN\r\nDeobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting\r\nCloudEyE 2023-04-13 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors strive to cause Tax Day headaches\r\nCloudEyE Remcos 2023-04-10 ⋅ Check Point ⋅ Check Point\r\nMarch 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious\r\nOneNote Files\r\nAgent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee 2023-03-11 ⋅ Zainware labs ⋅\r\nZainWare\r\nAnalyzing GuLoader\r\nCloudEyE 2023-01-05 ⋅ Symantec ⋅ Threat Hunter Team\r\nBluebottle: Campaign Hits Banks in French-speaking Countries in Africa\r\nCloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle 2022-12-19 ⋅ CrowdStrike ⋅\r\nDonato Onofri, Sarang Sonawane\r\nMalware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy\r\nCloudEyE 2022-10-12 ⋅ Spamhaus ⋅ Raashid Bhat\r\nDissecting the new shellcode-based variant of GuLoader (CloudEyE)\r\nCloudEyE 2022-09-12 ⋅ VMRay ⋅ Pascal Brackmann\r\nThe evolution of GuLoader\r\nCloudEyE 2022-08-29 ⋅ InQuest ⋅ David Ledbetter\r\nOffice Files, RTF files, Shellcode and more shenanigans\r\nCloudEyE 2022-07-21 ⋅ ⋅ Cert-AgID ⋅ Cert-AgID\r\nTecniche per semplificare l’analisi del malware GuLoader\r\nCloudEyE 2022-07-12 ⋅ Fortinet ⋅ James Slaughter\r\nSpoofed Saudi Purchase Order Drops GuLoader – Part 2\r\nCloudEyE 2022-06-02 ⋅ Mandiant ⋅ Mandiant\r\nTRENDING EVIL Q2 2022\r\nCloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot 2022-04-12 ⋅ HP ⋅ Patrick Schläpfer\r\nMalware Campaigns Targeting African Banking Sector\r\nCloudEyE Remcos 2022-03-30 ⋅ Securonix ⋅ Den Iyzvyk, Oleg Kolesnikov, Tim Peck\r\nNew TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed\r\nDocuments\r\nCloudEyE 2022-01-27 ⋅ forensicitguy ⋅ Tony Lambert\r\nGuLoader Executing Shellcode Using Callback Functions\r\nCloudEyE 2021-11-23 ⋅ HP ⋅ Patrick Schläpfer\r\nRATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild\r\nAdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos 2021-10-01 ⋅ HP ⋅ HP Wolf Security\r\nThreat Insights Report Q3 - 2021\r\nSTRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\r\nPage 2 of 4\n\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-08-23 ⋅ YouTube (\r\nDuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\n[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite\r\nCloudEyE Loki Password Stealer (PWS) 2021-07-07 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\n[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python\r\nCloudEyE Loki Password Stealer (PWS) 2021-07-06 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\n[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2\r\nCloudEyE Loki Password Stealer (PWS) 2021-06-29 ⋅ Medium hidocohen ⋅ Hido Cohen\r\nGuLoader’s Anti-Analysis Techniques\r\nCloudEyE 2021-04-19 ⋅ Medium elis531989 ⋅ Eli Salem\r\nDancing With Shellcodes: Cracking the latest version of Guloader\r\nCloudEyE 2021-04-13 ⋅ CERT Polska / NASK ⋅ Michał Praszmo\r\nKeeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader\r\nCloudEyE 2021-03-06 ⋅ Click All the Things! Blog ⋅ Jamie Arndt\r\noleObject1.bin – OLe10nATive – shellcode\r\nCloudEyE 2021-02-17 ⋅ K7 Security ⋅ Lokesh J\r\nGuLoader Snowballs via MalSpam Campaigns\r\nCloudEyE 2020-11-18 ⋅ VMRay ⋅ Mateusz Lukaszewski, Pascal Brackmann, VMRay Labs Team\r\nMalware Analysis Spotlight: AZORult Delivered by GuLoader\r\nAzorult CloudEyE 2020-09-17 ⋅ Joe Security's Blog ⋅ Joe Security\r\nGuLoader's VM-Exit Instruction Hammering explained\r\nCloudEyE 2020-09-08 ⋅ MALWATION ⋅ malwation\r\nMalware Config Extraction Diaries #1 – GuLoader\r\nCloudEyE 2020-08-10 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nSBA phishing scams: from malware to advanced social engineering\r\nCloudEyE 2020-08-05 ⋅ Blueliv ⋅ Blueliv Labs Team, Carlos Rubio\r\nPlaying with GuLoader Anti-VM techniques\r\nCloudEyE 2020-07-14 ⋅ SophosLabs Uncut ⋅ Markel Picado, Sean Gallagher\r\nRATicate upgrades “RATs as a Service” attacks with commercial “crypter”\r\nLokiBot BetaBot CloudEyE NetWire RC 2020-07-09 ⋅ VMRay ⋅ Pascal Brackmann\r\nThreat Bulletin: Dissecting GuLoader’s Evasion Techniques\r\nCloudEyE 2020-06-27 ⋅ kienmanowar Blog ⋅ m4n0w4r\r\nQuick analysis note about GuLoader (or CloudEyE)\r\nCloudEyE 2020-06-25 ⋅ CrowdStrike ⋅ Umesh Wanve\r\nGuLoader: Peering Into a Shellcode-based Downloader\r\nCloudEyE 2020-06-22 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team, Sherrod DeGrippo\r\nHakbit Ransomware Campaign Against Germany, Austria, Switzerland\r\nCloudEyE Hakbit 2020-06-08 ⋅ Check Point Research ⋅ Check Point Research\r\nGuLoader? No, CloudEyE.\r\nCloudEyE 2020-05-20 ⋅ VIPRE ⋅ VIPRE Labs\r\nUnloading the GuLoader\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\r\nPage 3 of 4\n\nCloudEyE 2020-05-08 ⋅ Twitter (@sysopfb) ⋅ Jason Reaves\r\nTweet on GuLoader anti analysis techniques\r\nCloudEyE 2020-05-05 ⋅ ⋅ VinCSS ⋅ Dang Dinh Phuong, m4n0w4r\r\nGuLoader AntiVM Techniques\r\nCloudEyE 2020-05-04 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nGuLoader API Loader Algorithm\r\nCloudEyE 2020-04-29 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nSome Insight into GuLoader family\r\nCloudEyE 2020-04-21 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nTweet on Signed GuLoader\r\nCloudEyE 2020-04-13 ⋅ K7 Security ⋅ Lokesh J\r\nGuLoader delivers RATs and Spies in Disguise\r\nCloudEyE 2020-04-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nGuLoader: Malspam Campaign Installing NetWire RAT\r\nCloudEyE NetWire RC 2020-04-02 ⋅ Morphisec ⋅ Arnold Osipov\r\nGuLoader: The RAT Downloader\r\nCloudEyE 2020-04-01 ⋅ Cisco ⋅ Andrea Kaiser, Shyam Sundar Ramaswami\r\nNavigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors\r\nAzorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot 2020-03-19 ⋅ Twitter\r\n(@TheEnergyStory) ⋅ Dominik Reichel\r\nTweet on early GuLoader samples dating back to October 2019\r\nCloudEyE 2020-03-15 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel\r\nGuLoader anti analysis/sandbox tricks\r\nCloudEyE\r\n[TLP:WHITE] win_cloudeye_auto (20251219 | Detects win.cloudeye.)\r\n[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
	],
	"report_names": [
		"win.cloudeye"
	],
	"threat_actors": [
		{
			"id": "316b23b5-e097-4dc6-8b1c-d096860c6c16",
			"created_at": "2022-10-25T16:07:24.290801Z",
			"updated_at": "2026-04-10T02:00:04.924688Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "ETDA:TA558",
			"tools": [
				"AZORult",
				"AsyncRAT",
				"Bladabindi",
				"ExtRat",
				"Jorik",
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Nymeria",
				"PuffStealer",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Rultazo",
				"Socmer",
				"Vengeance Justice Worm",
				"Vjw0rm",
				"Xtreme RAT",
				"XtremeRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0d07b30c-4393-4071-82fb-22f51f7749e0",
			"created_at": "2022-10-25T16:07:24.097096Z",
			"updated_at": "2026-04-10T02:00:04.865146Z",
			"deleted_at": null,
			"main_name": "RATicate",
			"aliases": [],
			"source_name": "ETDA:RATicate",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"BetaBot",
				"BlackRAT",
				"BlackRemote",
				"Bladabindi",
				"CloudEyE",
				"ForeIT",
				"Formbook",
				"GuLoader",
				"Jorik",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NSIS",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Neurevt",
				"Nullsoft Scriptable Install System",
				"Origin Logger",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Socmer",
				"ZPAQ",
				"njRAT",
				"vbdropper",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7e7782b0-8b0b-4e92-b58a-c696b6d70ea1",
			"created_at": "2025-05-29T02:00:03.18524Z",
			"updated_at": "2026-04-10T02:00:03.843199Z",
			"deleted_at": null,
			"main_name": "Storm-0249",
			"aliases": [
				"DEV-0249"
			],
			"source_name": "MISPGALAXY:Storm-0249",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59a48c28-d918-419f-b8b8-44be0c9741c8",
			"created_at": "2023-11-08T02:00:07.172993Z",
			"updated_at": "2026-04-10T02:00:03.434175Z",
			"deleted_at": null,
			"main_name": "BlueBottle",
			"aliases": [],
			"source_name": "MISPGALAXY:BlueBottle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf91b389-9602-45c0-8d6b-c61d14800f54",
			"created_at": "2023-01-06T13:46:39.448277Z",
			"updated_at": "2026-04-10T02:00:03.332604Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "MISPGALAXY:TA558",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775792041,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/917ebb7ea75dfe6d61d6cdc6d418853bc697cd2d.pdf",
		"text": "https://archive.orkl.eu/917ebb7ea75dfe6d61d6cdc6d418853bc697cd2d.txt",
		"img": "https://archive.orkl.eu/917ebb7ea75dfe6d61d6cdc6d418853bc697cd2d.jpg"
	}
}