{ "id": "f38917e7-9847-4094-834b-fe24525a65a0", "created_at": "2026-04-06T00:13:50.276523Z", "updated_at": "2026-04-10T03:21:49.35777Z", "deleted_at": null, "sha1_hash": "fb647699dd910097ff661007941cd60120a04e50", "title": "GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2341569, "plain_text": "GuLoader Malware Disguised as Tax Invoices and Shipping\r\nStatements (Detected by MDS Products) - ASEC\r\nBy ATCP\r\nPublished: 2023-08-03 · Archived: 2026-04-05 17:33:45 UTC\r\nAhnLab Security Emergency response Center (ASEC) has identified circumstances of GuLoader being distributed\r\nas attachments in emails disguised with tax invoices and shipping statements. The recently identified GuLoader\r\nvariant was included in a RAR (Roshal Archive Compressed) compressed file. When a user executes GuLoader, it\r\nultimately downloads known malware strains such as Remcos, AgentTesla, and Vidar.\r\nhttps://asec.ahnlab.com/en/55978/\r\nPage 1 of 8\n\nhttps://asec.ahnlab.com/en/55978/\r\nPage 2 of 8\n\nAhnLab’s MDS products provide a Mail Transfer Agent (MTA) feature to block malware distributed via email.\r\nFigure 3 below shows the GuLoader malware detection report screen of AhnLab MDS. In this case, the GuLoader\r\ndownloader downloaded Remcos from the threat actor’s server.\r\nhttps://asec.ahnlab.com/en/55978/\r\nPage 3 of 8\n\nRemcos is a known RAT (Remote Administration Tool) distributed via spam emails and MS-SQL vulnerabilities.\r\nThe malware has been covered on the ASEC Blog.\r\n(Nov 23, 2020) Remcos RAT Malware being Distributed as Spam Mail\r\nThere is an official sales page for Remcos. Following the initial release of version 1.0 in July 2016, version 4.9.0\r\nwas released on July 26th, 2023. It seems the creator is constantly updating the features of this malware and\r\nselling copies for commercial purposes.\r\nhttps://asec.ahnlab.com/en/55978/\r\nPage 4 of 8\n\nWhen an email is received, MDS uses the virtual machine-based dynamic analysis to detect malware strains based\r\non GuLoader’s behavior of downloading malware types and Remcos’ behavior of exfiltrating information as well\r\nas their characteristics.\r\nhttps://asec.ahnlab.com/en/55978/\r\nPage 5 of 8\n\nhttps://asec.ahnlab.com/en/55978/\r\nPage 6 of 8\n\nBesides Remcos, GuLoader also downloads and runs malware strains being sold on the Internet such as Formbook\r\nand Lokibot. Such malware strains offered for sale are called commodity malware. The threat actor likely uses\r\ndownloaders such as GuLoader to propagate commercial malware instead of distributing them directly to bypass\r\nsignature-based detection of security products. In the past, GuLoader was compiled in VisualBasic, and nowadays,\r\nit is compiled in NSIS and .NET. Whatever the case may be, its form is constantly being changed during\r\ndistribution to evade static detection. However, the malware strains being executed in the memory area are\r\ncommercial malware types such as Remcos, so even if the forms are different, each variant performs the same\r\nmalicious behaviors. Thus, corporate security managers must implement not only endpoint security products (V3)\r\nbut also sandbox-based APT solutions such as MDS to prevent damage from cyber attacks.\r\n[File Detection]\r\n– Trojan/Win.Guloader.C5463862 (2023.08.02.00)\r\n[Behavior Detection]\r\n– Execution/MDP.Remcos.M11099\r\n– Infostealer/MDP.Credential.M10218\r\nhttps://asec.ahnlab.com/en/55978/\r\nPage 7 of 8\n\nMD5\r\nab5050f0b4b71352722a6122c8107f83\r\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab MDS's sandbox-based behavioral analysis, please click the banner below.\r\nSource: https://asec.ahnlab.com/en/55978/\r\nhttps://asec.ahnlab.com/en/55978/\r\nPage 8 of 8\n\n https://asec.ahnlab.com/en/55978/ \nWhen an email is received, MDS uses the virtual machine-based dynamic analysis to detect malware strains based\non GuLoader’s behavior of downloading malware types and Remcos’ behavior of exfiltrating information as well\nas their characteristics. \n Page 5 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://asec.ahnlab.com/en/55978/" ], "report_names": [ "55978" ], "threat_actors": [], "ts_created_at": 1775434430, "ts_updated_at": 1775791309, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb647699dd910097ff661007941cd60120a04e50.pdf", "text": "https://archive.orkl.eu/fb647699dd910097ff661007941cd60120a04e50.txt", "img": "https://archive.orkl.eu/fb647699dd910097ff661007941cd60120a04e50.jpg" } }