{
	"id": "5d704f16-1a02-4bdb-a3ac-b0c531349403",
	"created_at": "2026-04-06T00:08:31.405147Z",
	"updated_at": "2026-04-10T03:21:27.327119Z",
	"deleted_at": null,
	"sha1_hash": "e68ad84619f586d584bddc54d882b4cbeeff8026",
	"title": "Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 128719,
	"plain_text": "Unveiling the Shadows: The Dark Alliance between GuLoader and\r\nRemcos - Check Point Research\r\nBy alexeybu\r\nPublished: 2023-09-19 · Archived: 2026-04-05 14:38:07 UTC\r\nIntroduction\r\nIn a recent disturbing development, software advertised as legitimate has become the weapon of choice for cybercriminals.\r\nTwo notable examples of this behavior are the Remcos RAT (remote administration tool) and GuLoader (also known as\r\nCloudEyE Protector).\r\nThese programs, which are positioned as legitimate tools, are constantly used in attacks and occupy top positions in the most\r\nprevalent malware rankings. While the sellers state that these tools should only be employed lawfully, a deeper truth is that\r\ntheir primary customers are none other than cybercriminals.\r\nFigure 1 – Remcos and GuLoader rankings in the Top 10 Wanted Malware\r\nIn our new study, we found a strong link between these dual-use agents. As Remcos is easily detected by antivirus solutions,\r\nit is difficult to use for criminal purposes. However, GuLoader can be used to help Remcos bypass anti-virus protection.\r\nDuring our research, we discovered that GuLoader is now sold under a new name on the same platform as Remcos and is\r\nimplicitly promoted as a crypter that makes its payload fully undetectable by antiviruses (FUD). In addition, the\r\nadministrator who oversees this platform also manages the BreakingSecurity website, which is the official website of\r\nRemcos RAT and related Telegram channels. We found evidence that the individual behind the Remcos and GuLoader sales\r\npersonally uses malware such as Amadey and Formbook, and also uses GuLoader as protection against antivirus detection.\r\nDomain names and IP addresses associated with the Remcos and GuLoader seller appear in malware analyst reports.\r\nThese revelations lead us to the conclusion that the sellers of Remcos and GuLoader are clearly aware that their tools are\r\nembraced by cybercriminals, despite their protestations of innocence. Our investigation culminates in the exposure of the\r\nindividual responsible for selling Remcos and GuLoader, unveiling their social networks and shedding light on the\r\nsubstantial monthly income generated through these illicit activities.\r\nGuLoader \u0026 Remcos\r\nMore than three years since it first appeared, GuLoader continues to pose problems for both regular users and antivirus\r\nsoftware developers. It is worth recalling that GuLoader is a highly protected shellcode-based loader that employs numerous\r\ntechniques to prevent both manual and automated analysis. In addition, in recent samples, a multi-stage loading of code\r\nfragments from remote servers is utilized through the use of .LNK files, VBS, and PowerShell scripts. The combination of\r\nthese techniques allows GuLoader samples to achieve a zero-detection rate on VirusTotal and deliver any malicious payload\r\nonto the victim’s computer.\r\nIn 2020, we exposed an Italian company that was selling the CloudEyE product through the website securitycode.eu and\r\nrevealed its direct affiliation with GuLoader. Our findings forced the creators of CloudEyE to temporarily suspend their\r\noperations. On their website, they posted a message saying that their service is designed to protect intellectual property, not\r\nto spread malware.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 1 of 22\n\nFigure 2 – Official statement about CloudEyE suspension on the securitycode.eu website.\r\nAfter a few months passed, their website resumed the sale of CloudEyE. Soon afterwards, we observed an increase in the\r\nnumber of new GuLoader attacks in our telemetry, as well as the appearance of new versions. Currently, we monitor dozens\r\nof new GuLoader samples on a daily basis.\r\nFigure 3 – Number of attacks involving GuLoader per day in the last 6 months.\r\nIn our previous article about the latest versions of GuLoader, we purposefully omitted any connection between CloudEyE\r\nand the new version of GuLoader because we observed the distribution of GuLoader under an alternative name “The\r\nProtector” on the website named “VgoStore.”  VgoStore, as it turns out, is closely related to Remcos.\r\nRemcos is a well-known remote surveillance tool, marketed for supposedly legitimate tracking and monitoring purposes.\r\nSince its appearance in 2016, we have been monitoring Remcos in many phishing campaigns. In addition to its typical\r\nremote administration tool features, Remcos includes uncommon functionalities such as man-in-the-middle (MITM)\r\ncapabilities, password stealing, tracking browser history, stealing cookies, keylogging, and webcam control.  These features\r\ngo beyond the typical scope of a RAT and suggest a more intrusive and malicious intent.\r\nThe start of our investigation\r\nAfter the disappearance of CloudEyE ads on hacker forums, we began to look for any mention of CloudEyE Protector on the\r\nInternet. On the first page of the Google search results we found a link to the Utopia project website, where CloudEyE\r\nProtector is listed in the “Merchants” section right after BreakingSecurity – the official website of the Remcos RAT:\r\nFigure 4 – BreakingSecurity and CloudEyE advertisements on the Utopia website.\r\nWe also paid attention to the fact that in 2022-2023, the number of Remcos samples amounted to almost a quarter of all\r\nsuccessfully decrypted GuLoader payloads for which we were able to identify a malware family.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 2 of 22\n\nFigure 5 – Identified GuLoader payloads.\r\nIn other words, in the past year Remcos has become the most common malware distributed using GuLoader. As we will\r\nshow, this is not a coincidence.\r\nVGO TheProtect – the new brand for GuLoader\r\nThe marketing and sales of Remcos were first conducted on hacking forums and later sold on a dedicated website called\r\nBreakingSecurity[.]net. Starting in 2022, it became possible to find Remcos sales on another website called\r\nVgoStore[.]net. VgoStore is advertised as an official reseller of Remcos in the @BreakingSecurity_Group Telegram\r\ngroup, which is run by the moderator nicknamed “EMINэM” (usernames @breakingsecurity, @emin3m,\r\n@Break1ngSecurir1ty):\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 3 of 22\n\nFigure 6 – VgoStore ads on the BreakingSecurity Telegram group by EMINэM.\r\nAt VgoStore, in addition to BreackingSecurity’s Remcos, you can also find a full package for malicious distribution and\r\ninitial access tool kits, such as “Excel and Doc Exploit”, LNK Exploit, RDP accounts, private DNS, crypters, and so on.\r\nSuch tools are marked as “educational.”\r\nAmong these tools, our attention was drawn to TheProtect (Private Protecting Service):\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 4 of 22\n\nFigure 7 – TheProtect is one of the tools sold on the VgoStore website.\r\nIn addition to the @BreakingSecurity_Group Telegram group, EMINэM also maintains a Telegram group for VgoStore\r\ncalled @VgoStore_Group. In those groups, EMINэM and another administrator “VGO” pushed TheProtect whenever users\r\nasked for a crypting service. It is also worth noting that in one message TheProtect is mentioned by EMINэM as a tool that\r\nhelps Remcos bypass Windows Defender (WD):\r\nFigure 8 – TheProtect is advertised in BreakingSecurity and VgoStore Telegram groups.\r\nAt the same time, in the BreakingSecurity Telegram group, administrators seemingly try to distance themselves from\r\nmalicious activity, saying that they only provide a way to whitelist Remcos for antivirus, but not bypass the protection. As\r\nopposed to the VgoStore group, where TheProtect is advertised as a service that provides “runtime FUD” (that is,\r\ncompletely undetectable by antiviruses when sample is executed):\r\nFigure 9 – Messages posted by VGO and EMINэM in BreakingSecurity and VgoStore Telegram groups.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 5 of 22\n\nTheProtect has two protection methods: Private Protect and Script Protect:\r\nFigure 10 – TheProtect protection methods.\r\nAccording to the VgoStore website, the provided file for the Script Protect is VBS instead of an EXE file.\r\nThe term “Private Protect” can be misleading, as it may give the impression that each customer receives a unique tool.\r\nHowever, upon further examination of the videos in VgoStore’s Telegram group and YouTube channel, it becomes apparent\r\nthat there are two types of encryption services are available: one based on NSIS (Nullsoft Scriptable Install System), and\r\nanother based on VBS (Visual Basic Scripting).\r\nThis struck us as suspiciously similar to the most common GuLoader variants, one of which is a VBS variant and the second\r\none is an NSIS variant.\r\nWe should note that Script Protect is extremely expensive. It is sold at $7000 for 4 protected files in the 30-day period. For\r\nboth Script Protect and Private protect, they state “We reserve 3 days max to provide the protected software.” This made us\r\nthink that the protection process is not fully automated. This means that buyers likely do not receive the builder that\r\nautomatically produces protected files, as was done in the case of CloudEyE.\r\nTheProtect VBS variant\r\nAs we wrote previously, VgoStore has a Telegram group @VgoStore_Group where product updates are published, and\r\nclients can get support. In this group, administrators often post videos demonstrating their product features.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 6 of 22\n\nFigure 11 – VgoStore Telegram group.\r\nIn one of the videos (https://t.me/VgoStore_Group/13729) published in this group on March 5, 2023, by the user\r\n@VgoStore, they demonstrate an attack using an LNK file disguised as a PDF.\r\nFigure 12 – Video published in the VgoStore Telegram group.\r\nIn this video, we see how clicking on an LNK file causes the new process “eilowutil.exe” to initiate a TCP connection with\r\nthe remote server “84.21.172.49:1040“. Before launching the LNK file, the video shows that all Windows Defender features\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 7 of 22\n\nare enabled, and Windows Defender did not raise any alerts throughout the execution.\r\nThe video provided significant details about the sample being tested, which allowed us to restore the complete attack chain.\r\nAt the 01:13 mark, we can briefly see the command line of the powershell.exe process displayed by Process Hacker. This\r\nallowed us to identify the sample demonstrated in this video (SHA256:\r\nc914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73) and find it on VirusTotal using behavior\r\nsearch query:\r\nFigure 13 – Process command line demonstrated on the video allowed us to find a related sample on VirusTotal.\r\nWhen we downloaded the script, we found that it is similar to the VBS variant of GuLoader that we described in our article\r\nCloud-Based Malware Delivery: The Evolution of GuLoader. The only difference with the version we described in our\r\nprevious article is that the shellcode is embedded in the VBScript in the BASE64-encoded form and then placed into the\r\nregistry:\r\nFigure 14 – BASE64-encoded encrypted data stored in the registry.\r\nAnother part of the VBScript contains a PowerShell script with two layers of obfuscation. The script contains the strings that\r\nwere observed in the screenshot from the video, which were used to identify this malicious sample ( $Tjringernes = ,\r\nDiu;DyrFAttuEncnNatcWootLobiLsioReknUnd ):\r\nFigure 15 – Part of the VBS containing an obfuscated PowerShell script.\r\nAfter the deobfuscation, we got the following code:\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 8 of 22\n\nFigure 16 – Deobfuscated PowerShell script.\r\nThis code loads base64-encoded data from the registry, decodes and runs it using the CallWindowProcA API function in\r\nthe same way as described in the article Cloud-Based Malware Delivery: The Evolution of GuLoader. The first 645 bytes\r\nof this code are not encrypted and contain the code of the decrypter. The rest of the data contains the encrypted shellcode.\r\nOur tools for automated analysis of malicious samples identified the encrypted data as GuLoader and successfully decrypted\r\nthe shellcode, including the GuLoader configuration, the URL for downloading the payload, and the payload decryption key:\r\nFigure 17 – Decrypted GuLoader configuration.\r\nAs of this writing, the URL “hxxp://194[.180.48.211/nini/EAbsGhbSQL10.aca” was still active. Therefore, we were able\r\nto download the final payload (SHA256 7bd663ea34e358050986bde528612039f476f3b315ee169c79359177a8d01e03).\r\nWe used the key extracted from the GuLoader shellcode to decrypt it. The decrypted sample appeared to be the Remcos\r\nRAT with SHA256 25c45221a9475246e20845430bdd63b513a9a9a73ed447bd7935ff9ecee5a61e.\r\nFigure 18 – Restored part of the GuLoader attack chain.\r\nWe extracted and decrypted the C\u0026C configuration from this Remcos sample and found it contains an address of the C\u0026C\r\nserver “84.21.172.49:1040” that we previously saw in the video:\r\nFigure 19 – Decrypted Remcos C\u0026C configuration.\r\nFinally, using the VirusTotal Relations tab for the initially found GuLoader VBS sample “Leekish.vbs“, we also discovered\r\na URL from which the file was downloaded: “hxxp://194.180.48.211/nini/Leekish.vbs“. This address was also revealed in\r\nthe video at the 01:37 mark:\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 9 of 22\n\nFigure 20 – URL for downloading the initial VBS sample found on VirusTotal.\r\nAnother interesting social engineering trick demonstrated in the video (frame 00:45) is the manipulation of the LNK file to\r\nmislead the user into believing it is a PDF document. Even when the user hovers over the LNK file, the tooltip shows,\r\n“Type: PDF Document.” In addition, if the user double-clicks on the LNK file, it actually opens a decoy PDF file, while the\r\nmalicious process runs silently in the background.\r\nThis is accomplished through the following simple steps:\r\n1. The file extension is changed to “.pdf.lnk”, taking advantage of the file extensions hidden by default.\r\n2. The LNK description is modified to display “PDF Document”, exploiting the fact that Windows shows the contents\r\nof the shortcut Description field. Note that the size displayed in the tooltip differs from the actual file size. The tooltip\r\nshows “Size: 7.11Kb” which is taken from the Description field of the shortcut, while the file size is actually 3Kb.\r\n3. The icon source is changed to show the PDF icon.\r\n4. The LNK file also downloads and executes a decoy PDF file.\r\nFigure 21 – LNK file disguised as a PDF document.\r\nWe found an LNK file on VirusTotal (SHA256:\r\n63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8) that refers to the mentioned URL and\r\ncontains exactly the same Description field:\r\nFigure 22 – Parsed LNK file.\r\nThis malicious shortcut file utilizes the ability of the legitimate script SyncAppvPublishingServer.vbs that is present in\r\nWindows System32 folder to run arbitrary PowerShell commands. The command line arguments contain PowerShell\r\ncommands to download and run the malicious script “Leekish.vbs” and a PDF decoy. The PDF icon from the msedge.exe\r\nfile is used as the shortcut icon.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 10 of 22\n\nSo, we have restored the complete attack chain demonstrated in the video and identified most of the files and components\r\ninvolved. The “script protected file” mentioned in the video appears to be the Remcos RAT with a C\u0026C server at\r\n“84.21.172.48:1040″. We identified the protector as the VBS version of GuLoader:\r\nFigure 23 – Complete attack chain shown on the video from the VgoStore Telegram group.\r\nThis attack chain is similar to what we have already seen from previous attacks of GuLoader, as was also described in the\r\nRedCanary blog.\r\nThis VBS and the LNK samples are particularly intriguing because we came across them as part of an attack targeting CPAs\r\nand accountants during the US tax season in the past year (February 2023). The aforementioned indicators of compromise\r\n(IOCs) can be found listed in the Securonix and Sophos blogs.\r\nTheProtect NSIS variant\r\nVgoStore also has a YouTube channel (https://www.youtube.com/@VgoStore). The video “Lnk Exploit” published on April\r\n12, 2023, is very similar to the video that we analyzed above. The presenter downloads an archive containing an LNK file\r\nand runs this LNK file. As shown on the video, at the same time, all recent Windows updates are installed, and security\r\nfeatures are enabled. Just as in the previous case, if we stop the video at 2:11 we can see a command line of the\r\npowershell.exe process created as a result of running the LNK file.\r\nFigure 24 – Command line containing URLs.\r\nThe process command line in the screenshot above contains 2 URLs. As of this writing, both URLs were active, which\r\nallowed us to download the files.\r\nURL Target URL SHA256 Description\r\nhttps://rebrand[.ly/thctn68\r\nhttps://img.softmedal[.com/uploads/2023-\r\n04-12/801271453672.jpg\r\nd2523a35267c9417969a880aa822b9d6\r\naf85e46e83b143979a177a292f347fb6\r\nDecoy\r\nPDF\r\nhttps://rebrand[.ly/n9huuth\r\nhttps://img.softmedal[.com/uploads/2023-\r\n04-12/140562263496.jpg\r\nf9edc031e26e9d37e740acfd3739cc3f\r\n0a442bb14ec34d9b2ddbf79db56e073f\r\nGuLoader\r\nNSIS\r\nvariant\r\nOne of the samples is a decoy PDF, the second one is an NSIS installer package.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 11 of 22\n\nFigure 25 – VirusTotal report for the sample demonstrated on the EMINэM’s video.\r\nWe were able to classify this file as the NSIS variant of GuLoader and decrypted its configuration. In this GuLoader\r\nsample’s configuration, we found a URL with the same IP address but with a different path:\r\nFigure 26 – Decrypted GuLoader configuration.\r\nThe URL for downloading the GuLoader payload “hxxp://194[.180.48.211/ray/BdNnKAT84.bin” is no longer active, so\r\nwe used VirusTotal to obtain the encrypted payload (SHA256:\r\nde11c14925357a978c48c54b3b294d5ab59cffc6efabdae0acd1a17033fe6483). We decrypted the final payload, and it\r\nappears to be the Remcos RAT (SHA256: 83df18f8e28f779b19170d2ca707aa3dbcee231736c26f8ba4fbd8768cd26ba6)\r\nwith the C\u0026C sever address “mazzancollttyde.business:7060” (185.126.237.209):\r\nFigure 27 – Decrypted Remcos C\u0026C configuration.\r\nIt turns out that in this case, GuLoader was also used for the delivery of the Remсos RAT, but this time the NSIS variant.\r\nThrough the analysis of these two videos, we were able to discover what type of payload was used. But most importantly,\r\nwe saw that the executable files protected by “TheProtect” tool sold in VgoStore are identical to GuLoader. In these videos,\r\nwe found both variants of GuLoader (NSIS and VBScript variants) that we have seen in the wild. Most likely, these variants\r\ncorrespond to the types of protection service that you can buy: The Protect: Private Protect (corresponding to the NSIS\r\nvariant), and Script Protect (corresponding to the VBScript variant).\r\nGuLoader from the VgoStore and connection with CloudEyE\r\nWhen we conducted our research, our first concern was whether the samples we see now in 2023 are really the same\r\nGuLoader that we found a connection to CloudEyE from Securitycode.eu in 2020.\r\nIndeed, GuLoader now looks really different. The execution does not involve VB6 application like it did in GuLoader from\r\n2020. Now it is distributed in the form of a VBS script or NSIS executable. The only thing the 2020 and 2023 versions still\r\nhave in common is the core of GuLoader functionality – the encrypted shellcode. However, this part also changed\r\nsignificantly. As we described in our previous article, the developers of GuLoader utilize new obfuscation techniques that\r\nmask the real execution flow and make automatic disassembling tools and debuggers fail to analyze the code. The new\r\nversion also implements data obfuscation using arithmetic operations.\r\nHowever, we still managed to find similarities in the code. In the screenshot below, you can see that both versions use an\r\nanti-debug trick: patching the DbgUiRemoteBreakIn and DbgBreakPoint functions. Despite the fact that the assembly code\r\nis very different due to the obfuscation in the new version, in both GuLoader versions from 2020 and 2023 the same bytes\r\nare used to overwrite the code of the functions that we can see after deobfuscating the code.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 12 of 22\n\nFigure 28 – Code similarities in GuLoader versions from 2020 and 2023.\r\nIn general, regarding anti-analysis techniques, the list is very similar in both versions. It is apparent the number of anti-analysis techniques expands with the release of each new version.\r\nIn addition, all versions of the shellcode use a large structure to store global variables that may be needed at various stages\r\nof shellcode execution. The base address of this structure is stored in the EBP register. The offsets of various variables in this\r\nstructure changed between versions, while other offsets remain the same.\r\nWe considered 2 samples: the one we analyzed recently in 2023 (MD5: 40b9ca22013d02303d49d8f922ac2739) and the\r\nolder one from 2020 (MD5: d621b39ec6294c998580cc21f33b2f46).\r\nFigure 29 – Same offsets of API function pointers in the global structure in GuLoader from 2020 (CloudEyE) and GuLoader\r\nfrom 2023.\r\nYou can see that in both samples the offsets of the variables storing the addresses of many API functions are the same.\r\nWe also have samples of intermediate versions of GuLoader at our disposal, which we identified in 2021 and 2022. Let’s\r\ncompare the code for the decryption routine that we extracted from the sample first seen in 2021 (MD5:\r\nabf39daaa33505f26959db465116f21f) with the routine in the 2023 GuLoader sample from the previous example (MD5:\r\n40b9ca22013d02303d49d8f922ac2739). The assembly code in these functions is slightly different due to the obfuscation.\r\nHowever, if we use a decompiler, we get identical results for both samples.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 13 of 22\n\nFigure 30 – Same decompiled code in GuLoader versions from 2021 and 2023.\r\nOur tools for automatic malware classification and configuration extraction identify these samples as GuLoader due to\r\nsimilar behavioral and code patterns.\r\nFigure 31 – Samples from 2021, 2022 and 2023 are identified as GuLoader.\r\nWe used automated analysis to process more than 6 thousand GuLoader samples sorted by the date first seen and identify\r\ndifferent versions of GuLoader. This also allowed us to build a timeline of GuLoader shellcode versions. In the chart below,\r\nwe marked versions with significant changes in the algorithms for the encryption and obfuscation of data; strings, including\r\nthe URL for downloading the payload; and payload decryption keys:\r\nFigure 32 – Timeline of different GuLoader shellcode versions.\r\nThis chart shows that with each new version of the GuLoader shellcode, the number of samples of the old versions was\r\nconsiderably reduced. All the facts listed above allow us to unequivocally believe that the new versions of GuLoader,\r\nincluding the samples demonstrated by VgoStore, are still the same malware, whose connection with CloudEyE and\r\nSecuritycode.eu we showed in 2020.\r\nWho is behind BreakingSecurity and VgoStore\r\nAs we mentioned earlier, the user with the nickname “EMINэM” is a moderator of the official Telegram group of\r\nBreakingSecurity.net:\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 14 of 22\n\nFigure 33 – EMINэM Telegram user details.\r\nWe can see very specific artifacts in the videos posted by EMINэM. Among them are custom icons for “This PC” and the\r\nfolder “EM1NeM” on the desktop, as well as a very specific desktop background related to Mortal Kombat:\r\nFigure 34 – EMINэM’s desktop artifacts.\r\nWe can use these to identify videos created by EMINэM.\r\nLet’s now move to the @VgoStore_Group. Among the administrators of this group, we can see two users: EMINэM (with\r\na custom title “Trusted Vendor”) and VGO (@VgoStore):\r\nFigure 35 – VgoStore Telegram group administrators.\r\nVGO and EMINэM pretend to be different users. We can even find a “conversation” between them in this group:\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 15 of 22\n\nFigure 36 – “Conversation” between VGO and EMINэM.\r\nHowever, if we carefully watch the videos posted by the user VGO, we notice the same artifacts we found posted by the user\r\nEMINэM:\r\nFigure 37 – EMINэM’s desktop on a video posted by VGO.\r\nRegarding the artifacts of the EMINэM’s desktop in this video, we noticed one more detail. We see the user connects to a\r\nremote host through WinSCP and opens the folder “/var/www/html/zarath“. We found an open directory with the same\r\nname on the host “194.180.48.211” that we discovered while analyzing the video in which the user VGO demonstrated the\r\nVBS variant of TheProtect that we identified as GuLoader.\r\nBased on this, we can assume that both BreakingSecurity and VgoStore Telegram groups are controlled by the same\r\nperson, and that he also owns both accounts – EMINэM and VGO.\r\nNext, we tried to search “VgoStore” in Google, and found the user “vgostore” asking for help with WordPress plugins at the\r\n“wordpress.org” website forum. During the conversation, the user published links for two unlisted YouTube videos that\r\nbelong to the YouTube user “EMINe M” (@BreakingSecurity):\r\nFigure 38 – Unlisted YouTube videos published by EMINэM at the “wordpress.org” website forum.\r\nIn the beginning of the video “2023 01 26 15 18 16” (https://www.youtube.com/watch?v=L8yB_xybTPs), we see the\r\nfamiliar Mortal Kombat wallpaper that we saw on EMINэM’s desktop on other videos. We can also see the IP address\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 16 of 22\n\n“173.212.217.108” of the remote desktop through which EMINэM accesses the web hosting panel and email\r\n“abudllah.alshamsy(at)gmail[.]com“:\r\nFigure 39 – IP address of the server managed by EMINэM via remote desktop.\r\nIn the second video (“2023 01 26 20 02 07“, https://www.youtube.com/watch?v=KHp07C3DgWo) we observe the VgoStore\r\nWordPress admin panel, and the “Orders” tabs of both BreakingSecurity and VgoStore open simultaneously:\r\nFigure 40 – “Orders” tabs of both BreakingSecurity and VgoStore open simultaneously in EMINэM’s video.\r\nDespite the attempts to conceal any direct affiliation to VgoStore, EMINэM turns out to be the manager of both the\r\nBreakingSecurity and VgoStore websites and Telegram groups.\r\nEMINэM’s identity\r\nOne of the videos published by EMINэM on the WordPress forum (“2023 01 26 15 18 16“,\r\nhttps://www.youtube.com/watch?v=L8yB_xybTPs) is quite long. During the recording, EMINэM repeatedly switched\r\nbetween different windows, and some of the frames showed sensitive data that helped our investigation. The carelessness\r\nwith which EMINэM treats information security suggests that he thinks he has nothing to fear from the law.\r\nEMINэM uses the name “Rabea Akram” for his email (expert.eminem@gmail[.]com) and in the communications related\r\nto websites administration (5:38):\r\nFigure 41 – EMINэM’s fake name used in relation to the websites he administers.\r\nOn the same video at 10:36 we can see EMINэM booked a flight under the name “Shadi Gharz Elddin”:\r\nFigure 42 – EMINэM’s real name in the flight booking confirmation email.\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 17 of 22\n\nWe easily found the Facebook and Twitter accounts of Shadi Gharz, on which he openly writes that his place of work is\r\nBreakingSecurity:\r\nFigure 43 – Shadi Gharz social network page.\r\nKnowing that EMINэM’s real name is Shadi, we can assume that the source for choosing the nickname “EMINэM” most\r\nlikely was the song “The Real Slim Shady” by the artist Eminem.\r\nMalicious activity conducted by EMINэM\r\nIn addition to the previously mentioned samples which were utilized in attacks specifically targeting CPAs and accountants\r\nduring the US tax season (SHA256: 63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8,\r\nc914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73), we discovered that EMINэM is the\r\nindividual responsible for orchestrating numerous attacks over the past few years. Let us examine some of these attacks.\r\n1. In a video https://youtu.be/5xpYjLbDpnE?t=84 posted by Eminem in 2021, at mark 1:24 we see the browser history\r\nrecords:\r\nFigure 44 – EMINэM’s browser history entries contain addresses of Formbook C\u0026C servers.\r\nThis list above contains addresses of Formbook info stealer panels used to control bots and retrieve stolen data. Here is a list\r\nof Formbook samples using C\u0026C servers with the given addresses:\r\nSHA256 Description IOCs in the sample\r\n36d0c2e7f20f3ff81c4e7f25b66551f1dd2d736775e0994d39aca4c73cb658bb\r\nFormbook\r\n4.1\r\nryandeby.com/private/\r\n7b2d1dc5fecb9e8821545af477721b45b4b4817adced81c78479e53c2e3028f5\r\nFormbook\r\n4.1\r\nalienzouks.com/private/\r\n2. In different videos published by EMINэM, we noticed several IP addresses of the servers that he manages through RDP or\r\nSFTP.\r\nWe were able to download the current contents of the open directory “hxxp://194.180.48.211/zarath/” mentioned above:\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 18 of 22\n\nFigure 45 – Contents of “194.180.48.211/zarath/”.\r\nWe identified a portion of the files in this folder as GuLoader encrypted shellcode, and the rest as encrypted payloads, most\r\nof which are Remcos. While the developers may claim that Remcos and GuLoader (CloudEyE, TheProtect) are legitimate\r\nsoftware, we also found two truly malicious payloads in this folder that we identified as Amadey Loader, and the\r\ncorresponding GuLoader shellcodes that load and decrypt those payloads:\r\nURL SHA256 Description IOCs in the samp\r\nhxxp://194[.180.48.211/zarath/Found.dwp\r\n9294279b158b48a5ac498070d4687e37\r\nf6efdac460684fc6cc30eee875cd1257\r\nGuLoader\r\nencrypted\r\nshellcode\r\n(BASE64-\r\nencoded)\r\nhxxp://194.180.4\r\nhxxp://194[.180.48.211/zarath/ClgRRi242.bin\r\nab9ecfc10f1e537e2c4a31da2b9ffd7f\r\nd0d696b59eb72da48ae2d11df639d120\r\nEncrypted\r\nAmadey\r\npayload\r\n(downloaded\r\nby\r\nGuLoader)\r\n \r\nhxxp://194[.180.48.211/zarath/ClgRRi242.bin\r\n42b9f3c3b5cf44db9e371093e400fc08\r\n7a9b7324b4875f4eef5efbde3b984157\r\nDecrypted\r\nAmadey\r\npayload\r\nhxxp://176.113.1\r\nhttp://194[.180.48.211/zarath/Investor15.snp\r\n618bf81ba49b99210ea91fe359daf420\r\n596b58f37636d8dea1bf012ce081d1ae\r\nGuLoader\r\nencrypted\r\nshellcode\r\n(BASE64-\r\nencoded)\r\nhxxp://194.180.4\r\nhxxp://194[.180.48.211/zarath/nnUZPAKgeThwygwKG104.bin\r\n4c85469c2d3a8871a767df084db32169\r\n88b213e4c1928a1b8133aca3874765de\r\nEncrypted\r\nAmadey\r\npayload\r\n \r\nhxxp://194[.180.48.211/zarath/nnUZPAKgeThwygwKG104.bin\r\n9a02ea9ef7ffe6d1372bd099336ea414\r\n386d5041c78151f3b71ff33b0d307f74\r\nDecrypted\r\nAmadey\r\npayload\r\nhxxp://176.113.1\r\n3. In a video posted by EMINэM in the @BreakingSecurity_Group Telegram group on April 19, 2022, we see how he\r\nconnects to a remote server named “CaliPB” and the IP address “38.242.193.23” as a root user (which means that he is the\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 19 of 22\n\nowner of this server):\r\nFigure 46 – EMINэM connects to his server as a root user using WinSCP.\r\nIn the next screenshot we see the contents of the “/var/www/html” folder, which is accessible through the web. Our\r\nattention was attracted by a subfolder named “private“:\r\nFigure 47 – Contents of folder “/var/www/html” on the EMINэM’s server.\r\nUnfortunately, the contents of the “private” folder could not be retrieved. However, we were still able to find related\r\nsamples using VirusTotal.\r\nWe analyzed samples previously downloaded from the host “38.242.193.23“. Among them, we found GuLoader and\r\nRemcos:\r\nURL SHA256 Description IOCs in the sample\r\nhxxp://38[.242.193.23/1.exe\r\n0db693472b4ca6f3ec1effc03d47c288\r\nf15ed06b7d4e172f8192047d3e800db1\r\nGuLoader hxxp://194[.180.48.211/frog/dnsJR\r\nhxxp://194[.180.48.211/frog/dnsJRjnsci193.sea\r\n723ac2c81529c534e97cfd73d89b2479\r\ndfc34909c4814324b71147b391896979\r\nRemcos\r\npayload\r\n(downloaded\r\nby\r\nGuLoader)\r\n173.212.217.108 zab4ever.no-ip.o\r\n185.217.1.137\r\nhxxp://38[.242.193.23/private/radios.exe\r\n791845e2c97b9a70f35075be963a88f0\r\n410201145953179303a4c689ccd8ac4a\r\nRemcos\r\n173.212.217.108 1zab4ever.no-ip.\r\n185.217.1.137\r\nIn this table, we again see the IP addresses “194.180.48.211”, “173.212.217.108” that we connected with EMINэM earlier.\r\nBut now we see the new IP address “185.217.1.137” used as a Remcos C\u0026C server. This IP address belongs to nVPN,\r\nwhich provides port forwarding service, and is likely used by EMINэM to hide the real IP address of his Remcos C\u0026C\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 20 of 22\n\nserver. Our assumption is confirmed by the fact that on one of the videos, we saw a letter from nVPN in EMINэM’s\r\nmailbox:\r\nFigure 48 – nVpn.net confirmation email received by EMINэM.\r\nWe also found a domain name “vrezvrez.com” that was resolved to the IP address “38.242.193.23” during the period when\r\nthis video was recorded.\r\nWe found five Formbook samples of version 4.1 with the C\u0026C server URL “vrezvrez.com/private/”:\r\nSHA256 Description IOCs in the sample\r\nd844221b683b4308b60fe80e23e6e3e618e07d36381b03da746e580e805d1814\r\nFormbook\r\n4.1\r\nvrezvrez.com/private/\r\n84b3c700ebdb8da0dde2ee19c88e957389051d484386d2859d27dc56b6c30157\r\nFormbook\r\n4.1\r\nvrezvrez.com/private/\r\n496924a13efee60c314947f296d6095b07a1ef6920fcc502d06ffa6c4a9a32e1\r\nFormbook\r\n4.1\r\nvrezvrez.com/private/\r\nb93821edca20bd777e3f4a17aac0f9e5d4ddb351bdf2ba7ce1b0eecc7e3890f2\r\nFormbook\r\n4.1\r\nvrezvrez.com/private/\r\naeb95fd2613e369ee8a885124dc4f717d21a337216f75101f5066ed48bc48ca3\r\nFormbook\r\n4.1\r\nvrezvrez.com/private/\r\nTherefore, the evidence shows a comprehensive case for the involvement of Eminem in carrying out attacks not only with\r\nRemcos and GuLoader but also using well-known malware such as Formbook and Amadey Loader.\r\nRevenue\r\nThe unlisted YouTube video “2023 01 26 15 18 16” uploaded by EMINэM that we found on the WordPress forum contains a\r\nlot more data that helped us in our investigation. At 5:41 we see the inbox of EMINэM’s Gmail account. We paid attention\r\nto the email from the service “tochkaobmena.com”. On the video it was possible to recover the link from the email:\r\nhttps://tochkaobmena.com/hst_FhaMv1rUzBTMfXlgR71vRjafr47K0wQyjuF/\r\nFigure 49 – The digital currency exchange confirmation contains a URL.\r\nWe followed the link and found the page with the results of the digital assets exchange operation (Perfect Money USD -\u003e\r\nTron USDT) that contains a Tron blockchain wallet address:\r\nTLqC6F4AVs8MrdiQDgRuFcW2Xp3iY3hg2D\r\nWe analyzed incoming transactions and calculated the total amount received by this account during the last 365 days: USDT\r\n59,685.08.\r\nHowever, it is obvious that only part of the BreakingSecurity and VgoStore finances flow through this wallet. We can get a\r\nbetter view of the income VgoStore received thanks to another frame in this video. At 5:06 we see the WordPress\r\nadministrative page containing the report of the WooCommerce plugin:\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 21 of 22\n\nFigure 50 – WordPress administrative page displays sales statistics.\r\nThe amount of $ 15,000 may be considered an estimate of the monthly income from sales of Remcos and other services at\r\nthe VgoStore website.\r\nConclusion\r\nTools such as Remcos and GuLoader, once exclusively sold on hacking forums and now publicly available on e-commerce,\r\nmasquerade as legitimate products. Now easily accessible, such tools have become popular among individuals with\r\nmalicious intentions.\r\nOur findings reveal that an individual operating under the alias EMINэM administers both websites BreakingSecurity and\r\nVgoStore that openly sell Remcos and GuLoader under a new name, TheProtect. We also uncovered proof of EMINэM’s\r\ninvolvement in the distribution of malware, including the notorious Formbook info stealer and Amadey Loader. At the same\r\ntime, EMINэM employs TheProtect for his own malicious purposes, exploiting its ability to bypass antivirus software.\r\nIn light of these findings, it becomes evident that the veneer of legitimacy cultivated by BreakingSecurity, VgoStore, and\r\ntheir products is nothing more than a smokescreen. The individuals behind these services are deeply entwined within the\r\ncybercriminal community, leveraging their platforms to facilitate illegal activities and profit from the sale of malware-laden\r\ntools.\r\nThis serves as a stark reminder that the fight against cybercrime requires constant vigilance and collaboration. Law\r\nenforcement agencies, cybersecurity professionals, and the broader community must join forces to expose and neutralize\r\nthese threats. By shining a light on the nefarious activities of individuals like EMINэM and their associated platforms, we\r\ntake a step towards a safer digital landscape that can better protect individuals, organizations, and our shared digital\r\necosystem.\r\nCheck Point Threat Emulation provides protection against these threats:\r\nDropper.Win.CloudEyE.*\r\nDropper.Win.Guloader.*\r\nRAT.Win.Remcos.*\r\nSource: https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nhttps://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/"
	],
	"report_names": [
		"unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e68ad84619f586d584bddc54d882b4cbeeff8026.pdf",
		"text": "https://archive.orkl.eu/e68ad84619f586d584bddc54d882b4cbeeff8026.txt",
		"img": "https://archive.orkl.eu/e68ad84619f586d584bddc54d882b4cbeeff8026.jpg"
	}
}