{
	"id": "d105eca5-8e48-4fc0-8d94-2f02a044b588",
	"created_at": "2026-04-06T00:15:03.970814Z",
	"updated_at": "2026-04-10T13:11:27.977667Z",
	"deleted_at": null,
	"sha1_hash": "cc3f94d8d22e0335342116fc244a9300dde647b3",
	"title": "GuLoader Downloaded: A Look at the Latest Iteration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41967,
	"plain_text": "GuLoader Downloaded: A Look at the Latest Iteration\r\nBy Adi Bleih\r\nPublished: 2024-03-11 · Archived: 2026-04-05 15:35:28 UTC\r\nWhat is GuLoader?\r\nGuLoader stands out as a prominent downloader founded on shellcode that has been used in many attacks aimed\r\nat spreading a diverse array of highly sought-after malware strains.\r\nFor over three years, GuLoader has maintained its activity and is continuously evolving through ongoing\r\ndevelopment efforts. The latest iteration introduces novel anti-analysis techniques, making its analysis extremely\r\ndifficult. The recent GuLoader samples consistently receive zero detections on VirusTotal, concealing its\r\nmalevolent payloads.\r\nGuLoader adopts a strategy of complete encryption, including PE headers, for its payload. This tactical approach\r\nenables threat actors to stockpile payloads on widely recognized public cloud services. This circumvents the\r\nsafeguards of antivirus solutions, and preserves the availability of these payloads for extended periods.\r\nIn its earlier manifestations, GuLoader took the form of VB6 applications that contained encrypted shellcode.\r\nNow, the prevalent versions predominantly use VBScript and the NSIS installer. The VBScript variant stores the\r\nshellcode on a remote server as part of its configuration.\r\nGuLoader Delivery Methods\r\nGuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores\r\nsecond-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can\r\nestablish a connection and download the executable without raising any red flags. The payload is usually\r\nencrypted, allowing it to slip past the cloud host’s security measures.\r\nThe distribution method of GuLoader is very typical. The loader is usually delivered as an Office document\r\nattachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program.\r\nSometimes it is also delivered as an executable in a .rar archive.\r\nDuring the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More\r\nrecently, attackers have been using fake payment invoices. They will impersonate a bank and use social\r\nengineering to trick the victim into downloading an infected file to check “payment details.”\r\nThe Impact of GuLoader\r\nGuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with\r\neasy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to\r\nthe combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.\r\nhttps://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/\r\nPage 1 of 2\n\nThe contribution made by malware loaders, often referred to as “crypters,” is of great significance in the\r\npropagation of Remote Administration Tools (RATs) and data-stealing malwares that target individual user\r\ninformation. The pilfered Personal Identifiable Information (PII) sourced from compromised endpoints is\r\npredominantly gathered and directed towards various underground data marketplaces for sale. This phenomenon\r\nhas a cascading impact on enterprises, as critical authentication-related data is leaked from users’ personal\r\ndevices, consequently granting unauthorized access to corporate networks.\r\nGuLoader is extensively utilized within large-scale malware campaigns to infiltrate users’ systems with prevalent\r\ndata-stealing malwares like Raccoon, Vidar, and Redline. Additionally, these campaign activities are also\r\nresponsible for disseminating commodity RATs like Remcos.\r\nSource: https://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/\r\nhttps://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/"
	],
	"report_names": [
		"guloader-downloaded-a-look-at-the-latest-iteration"
	],
	"threat_actors": [],
	"ts_created_at": 1775434503,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc3f94d8d22e0335342116fc244a9300dde647b3.pdf",
		"text": "https://archive.orkl.eu/cc3f94d8d22e0335342116fc244a9300dde647b3.txt",
		"img": "https://archive.orkl.eu/cc3f94d8d22e0335342116fc244a9300dde647b3.jpg"
	}
}