{ "id": "507bc5fe-76d2-4b26-bb3b-526725b92776", "created_at": "2026-04-06T00:08:33.850915Z", "updated_at": "2026-04-10T03:36:36.678703Z", "deleted_at": null, "sha1_hash": "f20cfdbd3aef85c2b2a42718a9ae83e7bba2b21d", "title": "GuLoader delivers RATs and Spies in Disguise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 275075, "plain_text": "GuLoader delivers RATs and Spies in Disguise\r\nPublished: 2020-04-13 · Archived: 2026-04-05 22:24:36 UTC\r\nHackers have been taking advantage of the Coronavirus scare by employing a COVID theme in their phishing\r\npages and spam emails. In this blog, we will dig deeper into the GuLoader malware which comes attached as a\r\nspam document in such emails. This malware is a VBdownloader that has been used in many such malicious\r\ncampaigns and can be attributed to Gorgon APT, TA505 and TA542 threat groups among others.\r\nGuLoader is a small VB5/6 file which typically downloads RATs, stealers or spies like Formbook, Agent Tesla,\r\nLokibot, Remcos RAT, NetWire RAT etc. We recently analyzed a campaign which was using GuLoader to\r\ndownload and deliver Formbook from Google Drive. While analyzing this campaign we were able to locate\r\naround 2100 GuLoader samples which connect to multiple Google drive links and 130 samples which contact\r\nOneDrive, in February, and by end of March, we were able to locate around 3300 new samples which connect to\r\nGoogle drive and 250 samples which connect to OneDrive, which is around 60% increase than the previous\r\nmonth. In total the number of Guloader is around 6000+ samples in the past 3 months.\r\nFigure 1: Graph showing month wise volume of collected samples\r\nIt is evident from the increasing numbers as shown in Figure 1, that this malware has gained popularity and is\r\nbeing used for nefarious activities by various threat actors. The popularity factor is because of some of its features\r\nlike:\r\nIt is small and can be embedded in ISO image files and RAR files.\r\nhttps://labs.k7computing.com/?p=20156\r\nPage 1 of 5\n\nStores its encrypted payload on Google Drive and OneDrive, which can later be downloaded and decrypted\r\nby a simple xor operation.\r\nFigure 2: File hosted on cloud service.\r\nInjects the decrypted payload into the targeted processes.\r\nPredominantly used to deliver NanoCore RAT, Remcos RAT, Quasar RAT, NetWire RAT, Agent Tesla and\r\nFormbook malware.\r\nUses anti-attach techniques.\r\nGuLoader analysis\r\nThe infection chain of the campaign which downloads GuLoader is depicted in Figure 3.\r\nhttps://labs.k7computing.com/?p=20156\r\nPage 2 of 5\n\nFigure 3: Infection chain of GuLoader\r\nThe malicious VB file allocates virtual space to decrypt and execute the code responsible for the following:\r\nDebugger Anti-attach technique: The malware uses ZwSetInformationThread API to detach itself from\r\nthe debugger.\r\nPatching ntdll.DbgBreakPoint and ntdll.RemoteUiRemoteBreakin: When we attach a debugger to a\r\nrunning process it calls DebugActiveProcess API which in turn calls RtlCreateUserThread function to\r\ncreate a new remote thread into the targeted process with DbgUiRemoteBreakin function as its new\r\nthread’s starting point. Therefore, a malware can easily hook ntdll.DbgBreakPoint and\r\nntdll.DbgUiRemoteBreakin API and patch them to the point that will cause the process to exit or NOP (no\r\noperation) or to a point where it will call an unknown or non-readable location. \r\nUnhooking user mode hook: For behavior-based detection most of the Anti-Virus products implement a\r\nuser mode hook for some of the most common APIs used by malware. To do that, they simply modify the\r\n1st 5 bytes (0xb8 ????????) of the API function with an unconditional (0xe9 ????????) jump to their hook\r\nhandler. To avoid this, the malware tries to rewrite the 1st 5 bytes to its original state even if the hook is not\r\nin place. \r\nDownload payload from cloud storage: Downloads the file stored on Google Drive/OneDrive and decrypts\r\nit.\r\n It then injects this decrypted payload to the targeted process or creates a child process of itself and\r\noverwrites the child process with the decrypted content from the image base 0x400000.\r\nFor more detailed reading about the above mentioned points, do have a look at this blog.\r\nGiven below are some of the paths in which the GuLoader is saved on the PC as per our telemetry reports\r\nC:\\USERS\\____\\APPDATA\\LOCAL\\TEMP\\SUBFOLDER\\FILENAME.EXE\r\nC:\\USERS\\_____\\APPDATA\\LOCAL\\TEMP\\RAR$DIA4024.13665\\QUOTATION REQUEST.SCR\r\nC:\\DOCUME~1\\_____\\LOCALS~1\\TEMP\\RAR$EXA0.993\\SCANDOC8383.EXE\r\nC:\\USERS\\____\\APPDATA\\LOCAL\\TEMP\\RAR$EX00.225\\DOC981.EXE\r\nC:\\USERS\\___\\APPDATA\\LOCAL\\TEMP\\RAR$EXA0.418\\CL MONA (13912-I0005)  _HIRE\r\nSTATEMENT_PAYMENT COPY_PDF.EXE\r\nC:\\USERS\\_____\\APPDATA\\LOCAL\\TEMP\\SUBFOLDER\\WINDOW.EXE\r\nC:\\USERS\\_____\\APPDATA\\LOCAL\\TEMP\\RAR$DIA0.789\\CONSIGNMENT DOCUMENTS.SCR\r\nC:\\USERS\\_____\\APPDATA\\LOCAL\\TEMP\\RAR$EX00.626\\SWIFT COPY.EXE\r\nC:\\USERS\\_______\\APPDATA\\LOCAL\\TEMP\\RAR$EX00.251\\PURCHASE ORDER-3647585PDF.EXE\r\nhttps://labs.k7computing.com/?p=20156\r\nPage 3 of 5\n\nC:\\USERS\\______\\APPDATA\\LOCAL\\TEMP\\RAR$EXA0.440\\RFQ-21902.EXE\r\nC:\\USERS\\_____\\APPDATA\\LOCAL\\TEMP\\RAR$EX00.403\\PAYMENT_0320.EXE\r\nC:\\USERS\\____\\APPDATA\\LOCAL\\TEMP\\RAR$EXA0.540\\BRANCHE.EXE\r\nC:\\USERS\\________\\APPDATA\\LOCAL\\TEMP\\RAR$EXA0.181\\SCANDOC8383.EXE\r\nC:\\USERS\\________\\APPDATA\\LOCAL\\TEMP\\RAR$DIA0.815\\ATTACHED PO#19POGL1614-\r\n2020REF0088427.SCR\r\nThese GuLoader exe files get downloaded and saved to the system after the Coronavirus spam document is\r\nopened. This happens when macros are enabled by the victim or after successful exploitation of vulnerabilities\r\nlike CVE-2017-11882 by the threat actors.\r\nThis is one of the major campaigns this year so far. Emails with the COVID theme, and with the impersonation of\r\ntrustworthy agencies like WHO, UNICEF, Govt Health agency, etc., lure the recipient to open them and their\r\nattachments. With the ever growing concern related to the Corona pandemic and people’s hunger for information,\r\nthe COVID based spam has been quite successful in gaining victims. We sifted through our pan-India telemetry\r\nand we were able to find at least 60 hits for the last week of March and more than 800 unique hits in the past 30\r\ndays or so.\r\nSecurity Guidelines\r\nDo not fall prey to any spam mails related to COVID19 or any other emails that you weren’t expecting\r\nCultivate the use of spam filters\r\nPay close attention to the email address of the sender before downloading any attachment\r\nInstall the latest service packs and hot fixes from Microsoft\r\nInstall a reliable security product like K7 Total security and ensure it is enabled and kept up-to-date\r\nIndicators of Compromise (IoCs)\r\nSpam doc/xls\r\n19B9749D417DD800042EEF6CE4831665 Trojan ( 0001140e1 )\r\n23B8E03D5F5B6F906006E43047E78EC1 Trojan ( 0001140e1 )\r\n5127D7FD0E929E157D9B9F677D8496D4 Trojan ( 0001140e1 )\r\nFFC54A5B610C781E9E6C7F15666FA026 Trojan ( 0001140e1 )\r\nGuLoader\r\n06765254FA14E550E6BCEE092CB37B18 Trojan ( 005630331 )\r\n7580F80CE0B825EF8931F0B5A25FD131 Trojan ( 0056315b1 )\r\nhttps://labs.k7computing.com/?p=20156\r\nPage 4 of 5\n\n9DBA8EEEE47B6F14B4E4814824397375 Trojan ( 00561ca31 )\r\n50B1D1DFECE17FE955BF9DA7942C5A73 Riskware ( 0040eff71 )\r\n1910E8659F87A0B9F62C78B829CF7295 Trojan ( 00561c181 )\r\nMalware downloaded by GuLoader\r\nC949A9618462F5C83A93FDD2EB0DABF7 Password-Stealer ( 0052f96e1 )\r\n7573808E70745FCAF78117F420F67C73 Password-Stealer ( 0040f4f51 )\r\n4DD1308E8D02539221057684398D300D Trojan ( 005608181 )\r\n1899A6720B1E95E57BAB440524AD5B14 Trojan ( 005485311 )\r\nSource: https://labs.k7computing.com/?p=20156\r\nhttps://labs.k7computing.com/?p=20156\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/?p=20156" ], "report_names": [ "?p=20156" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434113, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f20cfdbd3aef85c2b2a42718a9ae83e7bba2b21d.pdf", "text": "https://archive.orkl.eu/f20cfdbd3aef85c2b2a42718a9ae83e7bba2b21d.txt", "img": "https://archive.orkl.eu/f20cfdbd3aef85c2b2a42718a9ae83e7bba2b21d.jpg" } }