{
	"id": "4e726ef1-431d-446c-bfd5-56b20088f863",
	"created_at": "2026-04-06T00:22:36.874145Z",
	"updated_at": "2026-04-10T13:11:33.370116Z",
	"deleted_at": null,
	"sha1_hash": "b7ff5b5932b95cd88b9cb20cd0bd4d1691336eaa",
	"title": "Analyzing GuLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2094140,
	"plain_text": "Analyzing GuLoader\r\nBy ZainWare\r\nPublished: 2025-10-25 · Archived: 2026-04-05 16:00:31 UTC\r\nPress enter or click to view image in full size\r\nGuLoader [figure 1]\r\nSo we need to know what does GuLoader do for living, but before that let us discuss and talk about its history.\r\nGuLoader history:\r\nGuLoader also known as CloudEyE and vbdropper. First seen in the wild was in December 2019 and it’s delivered\r\nvia spam emails (Malspam) as an attachment fooling users and acting like a legit mail.\r\nHere’s some examples:\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 1 of 16\n\nMalspam using DHL theme to push GuLoader, MalwareBytes [Figure 2]\r\nPress enter or click to view image in full size\r\nanother Malspam, CrowdStrike [Figure 3]\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 2 of 16\n\nPress enter or click to view image in full size\r\nanother Malspam, PCrisk [Figure 4]\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 3 of 16\n\nFrom AhnLab [Figure 5]\r\nGuLoader got its name as Google Drive is frequently used as its download URL. (ASEC analysis team)\r\nGuLoader is written in VB6(wrapper)containing the shellcode that gives GuLoader the needed flexibility to be\r\nheavily obfuscated to evade and escape from AVs and that gives GuLoader low detection on VT.\r\nGuloader has a lot of capabilities that we will discuss in a moment, After doing its work it drops a lot of different\r\nmalwares like RATs, stealers and ransomwares (ex: Formbook, Remcos, Lokibot, NanoCore, AgentTesla,\r\nArkei/Vidar, NetWire, Hakbit, etc.) using clouds like google drive(not always), at 2020(when GuLoader\r\ndistributed and was so active) using cloud services was a trend to deliver your malware and from a legitimate\r\nwebsite was a big benefit (still a good thing for adversaries of course).\r\nAt 2020 Check Point exposed GuLoader as it’s related to CloudEye (CloudEyE is an italian security software\r\ncompany intended for “Protecting windows applications from cracking, tampering, debugging, disassembling,\r\ndumping”).\r\nhere’s the link\r\nWe will discuss GuLoader’s career through the past years 2020, 2021, 2022, and the latest Italian e-commerce\r\nattack(Feb 2023) using NSIS.\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 4 of 16\n\nA lot of its capabilities will continue through years and GuLoader’s author will modify some code\r\nimplementations for them and some interesting techniques will be added.\r\nSo let’s start our analysis…\r\nAt 2020 (GuLoader’s birth)\r\nAccording to Lawrence Abrams he said that first discovered this spam campaign is MalwareHunterTeam. I tried to\r\nget an early sample of it and the earliest sample i got(my starting point) from Jan 15 2020:\r\nmd5:cf3e7341f48bcc58822c4aecb4eb6241\r\nGuLoader once executed will download an encrypted file from google drive and decrypt it then inject it(not\r\nalways) into wininit.exe(lgeitimate windows process) and evade detection.They also impersonated WHO in\r\nCovid-19 pandemic.\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 5 of 16\n\nGuLoader as WHO (Malwarebytes) [Figure 6]\r\nProcess injection:\r\nHow does it excute?\r\nGuLoader uses process hollowing but Here shellcode doesn’t unmap memory code of legitimate processes;\r\ninstead it uses the NtCreateSection:\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 6 of 16\n\nBy calling CreateProcessInternalW to create the legitimate process\r\nRegAsm.exe(C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe) or if it doesn’t find it will loop(in\r\nthe same path) to find MSbuild.exe or RegSvcs.com(they all a part of.NET framework maybe will distribute .NET\r\nmalware) and create it in susbended state CREATE_SUSPENDED(0x00000004) then will use zwOpenFile to\r\nopen a file handle to mstsc.exe or msvbvm60.dll then will call NtCreateSection for this fila handle to create a\r\nsection of memory with the desired access parameter then this section mapped in the legitimate process that in\r\nsuspended state (ex: RegAsm.exe) using NtMapViewOfSection with base address 0x400000 instead of a normal\r\nhigh load address then will call NtWriteVirtualMemory to write the shellcode in this new section. Now after\r\nwritting the shellcode in this newly allocated memory GuLoader needs to excutes it by using NtSetContextThread\r\nto change the context of the only thread running in the targeted process that is still in a suspended state. now this\r\ncontext change sets the EIP register to the address that points to the begining of the shellcode that will make the\r\nshellcode runs by using NtResumeThread. The shellcode will do some anti debugging, analysis, vm and some\r\nother interesting techniques.that’s what we will talk about next.\r\nAnti AVs:\r\nGuLoader is wrapped in a VB6 and changing in every campaign to evade AV detections and inside it the shellcode\r\nand\r\nthe downloaded payloads are encrypted with a hard coded 4 bytes XOR key embedded inside the malware to\r\nmake it difficult for AVs so it won’t identify the payload as malicious.\r\nAnti Debugging:\r\nGuLoader does hooks for functions DbgBreakPoint and DbgUiRemoteBreakin. And patches these two APIs by\r\nreplacing the INT3 opcode of DbgBreakPoint with opcode 90 (NOP or no operation to do nothing) and for\r\nDbgUiRemoteBreakin it replaces the first few bytes with a dummy call to cause a crash.\r\nCrash message [Figure 7]\r\nand another thing that GuLoader does is to hide its running thread from debuggers by calling\r\nNtSetInformationThreadpushing with the value (0x11) as the second parameter and that value is\r\nThreadHideFromDebugger.\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 7 of 16\n\nAlso GuLoader checks for both hardware and software breakpoints by checking DR0-DR7 registers (that registers\r\nresponsible for hardware breakpoints by debuggers)\r\ncmp dword ptr ds:[eax+4],0\r\njne Crash_fn\r\ncmp dword ptr ds:[eax+8],0\r\njne Crash_fn\r\ntest bl,bl\r\ncmp dword ptr ds:[eax+C],0\r\njne Crash_fn\r\ncmp dword ptr ds:[eax+10],0\r\njne Crash_fn\r\ntest ecx,ecx\r\ncmp dword ptr ds:[eax+14],0\r\njne Crash_fn\r\ncmp dword ptr ds:[eax+18],0\r\njne Crash_fn\r\ncmp ah,ah\r\n[eax+4] = DR 0\r\n[eax+8] = DR 1\r\n[eax+C] = DR 2\r\n[eax+10] = DR 3\r\n[eax+14] = DR 4\r\n[eax+18] = DR 5\r\nand this Crash_fn that responsible for showing the crash message box[Figure 7].\r\nand the software breakpoints by looking for 0xCC (INT3), 0x3C and 0xB0F and if a breakpoint is found it will\r\ncause a crash (same as the message above)[Figure 7].\r\npop eax\r\ntest bx,bx\r\nmov bl,byte ptr ds:[eax]\r\ncmp bl,CC\r\nje Crash_fn\r\nmov bx,word ptr ds:[eax]\r\ncmp bx,3CD\r\nje Crash_fn\r\ncmp edx,ebx\r\nmov bx,word ptr ds:[eax]\r\ncmp bx,B0F\r\nje Crash_fn\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 8 of 16\n\nthis Crash_fn that responsible for showing the crash message box[Figure 7].\r\nAnti Sandboxing and VMs (virtualization):\r\nGuLoader is using EnumWindows API to count all the windows on the screen and if it’s less than 12 (by checking\r\nEAX value if less than 12)it calls TerminateProcess.\r\ncall eax\r\npop eax\r\ncmp eax,C\r\njge TerminateProcess_fn\r\nUsing CPUID:\r\ncalling CPUID then do\r\nbt ecx,1F // 31\r\ncause if it’s running inside a debugger or vm the 31st bit will be set to one\r\n(by default it’s zero)\r\nand then showing the crash message box[Figure 7].\r\ncalling CPUID will generate a VM exit to the VM manager and that takes much more time than running in a\r\nphysical machine.\r\nUsing RDTSC:\r\nRDTSC(Read Time-Stamp Counter) is the same and takes so much time and slower if it’s in a vm but in\r\nGuLoader it’s using:\r\nmov ecx,186A0\r\n(that’s 100,000 times). Storing it in ECX it’s the number of times EDI will be incremented with.\r\nthen decrement ecx and then compare it with 0 if not zero will return again till ecx becomes zero\r\nand we said that edi will be incremented, it’ll be incremented till it comares it with\r\ncmp edi,68E7780\r\n(that’s 110,000,000 times). cause if it reachs that number will enter the loop again and it will be an infinte loop.\r\nAs you can see GuLoader choosing specific time and numbers for that so of course these numbers mean\r\nsomething. I guess he estimated everything in a virsualized environment.\r\nGuLoader also uses instruction hammering we have seen this techniques in so many malware samples by\r\nexecuting massive amounts of delay that exceeds the execution time on a sandbox or any analyzer so the payload\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 9 of 16\n\nexecution is never reached. GuLoader also uses ZwQueryVirtualMemory to lacate any pages that contains any\r\nstrings that related to VMs(scaning the process’s memory)with the handle 0xffffffff(to retrieve the base address of\r\nevery page) and if it finds any , will create the Crash message box[Figure 7].\r\nApi resolving:\r\nGuLoader uses a DJB2 hash algorithm for resolving APIs to hide them from the IAT( import address table). When\r\nit needs any windows API it resolves it first as it first generates the hashs for every function in Kernel32.dll then\r\nwhen it needs any API it’ll call it by its hash value.Like if it needs CreateProcessInternalW will use 9688DA44.\r\nDJB2\r\nunsigned long\r\nhash(unsigned char *str)\r\n{\r\n unsigned long hash = 5381;\r\n int c;\r\n while (c=*str++)\r\n hash = ((hash \u003c\u003c 5) + hash) + c;\r\n return hash;\r\n}\r\nusing 5381 in this alogrithm cause fewer collisions and better avalanching\r\nusing 33 never explained\r\nGet ZainWare’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nusing (hash \u003c\u003c 5) + hash that’s bit shifting and it’s faster for CPU than performing hash*32 and that’s shifting it\r\nfive bits to left as multiplying it with 2⁵ (32) and adding it to itself means it becoming 33.\r\nEntering Heaven:\r\nGuloader is a 32-bit application and if it’s running on 64-bit systems could trick the operating system into\r\nexecuting 64-bit code, despite initially declaring itself as 32-bit process. How does it happen? by calling 32-bit\r\nntdll.dll then wow64.dll (windows on windows) and that will call wow64cpu.dll and then call wow64Transition\r\nand that’s the heaven’s gate and then performs a far jmp instruction that switches into 64-bit and use ntdll.dll but\r\nthe 64 version of it.How do you know if it’s using Heaven’s gate or not?\r\nby using FS:[0xC0] register value(containing a pointer to FastSysCall in wow64) to see if the system is x64 or not\r\nso if it’s a 64 it will use heaven’s gate.\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 10 of 16\n\n(mov ebx, dword ptr FS:[C0]).\r\nin this year 2020, when CheckPoint exposed CloudEyE at June 8 2020,GuLoader was boomin at June 9:\r\nPress enter or click to view image in full size\r\nMalware Bazzar[Figure 8]\r\nPress enter or click to view image in full size\r\nCheckPoint[Figure 9]\r\nHere you can see it was active at that month and at June 10 Sebastiano said:\r\nPress enter or click to view image in full size\r\nService Suspension temporarily[Figure 10]\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 11 of 16\n\nbut CheckPoint came again after this Message:\r\nTaking down The top malicious dropper of 2020 said by CheckPoint[Figure 11]\r\nPress enter or click to view image in full size\r\nResume_service Malwarebytes[Figure 12]\r\nSo i think that’s enough for 2020 let’s discuss 2021.\r\nPress enter or click to view image in full size\r\nNumber of GuLoader samples submitted to MalwareBazaar during Jan-Oct 2021(deepinstict)\r\n[Figure 13]\r\n2021’s code is the same as 2020 plus some features. I’ll discuss these features as the previous ones i already talked\r\nabout above.\r\nAnti VMs:\r\nGuLoader searches for Qemu emulator and virtualizer\r\nC:\\Program Files\\Qemu-ga\\qemu-ga.exe\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 12 of 16\n\nand also searching for qga (Qemu gues agent).\r\nC:\\Program Files\\qga\\qga.exe\r\nChecking the installed softwares by using MsiEnumProductsA, MsiGetProductInfoA.\r\nThe MsiEnumProductsA function enumerates through all the products currently installed.\r\nThe MsiGetProductInfoA function returns product information for published and installed products.\r\nby using OpenSCManagerA GuLoader opens a specific service control manager database and checks for running\r\nprocesses by using EnumServicesStatusA.\r\nOpenSCManagerA establishes a connection to the service control manager on the specified computer and opens\r\nthe specified service control manager database.\r\nEnumServicesStatusA function Enumerates services in the specified service control manager database. The name\r\nand status of each service are provided, along with additional data based on the specified information level.\r\nExamples of some services GuLoader is looking for:VMware tools, VMware snapshot provider.\r\nChecking windows drivers by using EnumDeviceDrivers and GetDeviceDriverBaseName.\r\nEnumDeviceDrivers receives the list of load addresses for the device drivers.\r\nGetDeviceDriverBaseName Retrieves the base name of the specified device driver.\r\nExamples of some drivers GuLoader is looking for:vm3dmp.sys, vm3dmp_loader.sys, vmmouse.sys and\r\nvmusbmouse.sys.\r\nAnti analysis:\r\nGuLoader uses a lot of useless and dummy calls like pushfd followed by popfd, using mov edx,edx or repeating\r\nsome instructions or doing some arithmetic calculations for nothing. And using opaque predicate.\r\nOpaque predicates are conditions that always(constant) true or false and obfuscate it to hide that they are constant\r\nand fool the disassembler that there’s two paths but in fact there’s only one path.\r\nAll used APIs is hashed by DJB2 as we know but before using any of them GuLoader XOR the shellcode then\r\ncalling them and then xoring it again to return the instructions back. At this process the disassembler treats the\r\nxored instructions as data and doesn’t define it as functions.\r\nsome code instructions then followed by\r\n;..............................................\r\n db\r\n db random hex\r\n db\r\n2022\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 13 of 16\n\nIn 2022 Guloader started to use NSIS.\r\nWhat is NSIS used for?\r\nNSIS (Nullsoft Scriptable Install System) is a tool that allows programmers to create such installers\r\nfor Windows. It is released under an open source license and is completely free for any use. NSIS\r\ncreates installers that are capable of installing, uninstalling, setting system settings, extracting files, etc.\r\nPress enter or click to view image in full size\r\ntrellix[Figure 14]\r\nAnti debugging:\r\nlike any animal that lives in caves when searching for food he goes out and then return again to its cave not to be\r\nnoticed.GuLoader when it uses any data will first decrypt it and then encrypt it again covering itself from being\r\nnoticed. Another example:the first 40 bytes of the shellcode is responsible for decrypting the code and after doing\r\nits job all the 40 bytes changed to NOPs(90 No operation) like it’s destroying its key.\r\nBy using VEH(Vectored Exception Handling a function to handle all exceptions for the application) GuLoader\r\nwaste researchers time by raising expections and distrub the control flow of the sc pointing and jumping to other\r\ninstructions handling it by using RtlAddVectoredExcepitionHandler API. Another use of Exception handler\r\nGuLoader uses it for software breakpoints and hardware breakpoints if an exception is raised by any of them will\r\ncontinue without jumping and excutes some invalid instructions and if non of them are set it’ll jump to a new\r\nvalue and continue.\r\nBy using NtQueryInformationProcess GuLoader checks for a presence of a remote debugger and by using 0x7 as\r\nthe second parameter (ProcessDebugPort) by checking the return values if it’s non-zero it means the process is\r\nbeing debugged.\r\nBeside using RegAsm.exe(for process injection) GuLoader also used caspol.exe and aspnet_compiler.exe. And\r\nafter that it calls NtOpenFile on C:\\Windows\\syswow64\\iertutil.dll(I already explained how process injection\r\nhappens in GuLoader above).\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 14 of 16\n\nConclusion:\r\nGuLoader doesn’t targeting a specific nation or a specific industry but most of its attacks is E-Commerce.\r\nPress enter or click to view image in full size\r\n[Figure 15]\r\nIt’s just a service everyone can buy it(with minimum 100$) and do whatever he wants (if really GuLoader is part\r\nof CloudEyE).\r\nGuLoader started long ago and still active and will remain active because it uses polymorphic Shellcode that\r\nalways change and its DJB2 algorithm XORing the hashes everytime with a different key so no need for a table to\r\nsave its API hashes because it’s changing everytime and also using NSIS and improving it over time. Using a lot\r\nof anti debugging it’s trivial and well known but with all these techniques it’s pain in the ass and time consuming\r\nfor reversing it.\r\nAdditional reading \u0026 Resources\r\nGuLoader? No, CloudEyE.\r\nMalware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy\r\nGuLoader: Peering Into a Shellcode-based Downloader\r\nGuLoader: The NSIS Vantage Point\r\nDefeating Guloader Anti-Analysis Technique\r\nGuLoader: A fileless shellcode based malware in action\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 15 of 16\n\n[Down]loaded by GuLoader Malware | DeepInstinct\r\nThe evolution of GuLoader\r\nSpoofed Saudi Purchase Order Drops GuLoader: Part 1\r\nSpoofed Saudi Purchase Order Drops GuLoader — Part 2\r\nGuLoader: The RAT Downloader\r\nDissecting the new shellcode-based variant of GuLoader (CloudEyE)\r\nDancing With Shellcodes: Cracking the latest version of Guloader\r\nPlaying with GuLoader Anti-VM techniques\r\nand so many others but i don’t remember :(\r\nSource: https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nhttps://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa"
	],
	"report_names": [
		"analyzing-guloader-42c1d6a73dfa"
	],
	"threat_actors": [],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7ff5b5932b95cd88b9cb20cd0bd4d1691336eaa.pdf",
		"text": "https://archive.orkl.eu/b7ff5b5932b95cd88b9cb20cd0bd4d1691336eaa.txt",
		"img": "https://archive.orkl.eu/b7ff5b5932b95cd88b9cb20cd0bd4d1691336eaa.jpg"
	}
}