GuLoader Obfuscation Analysis

~Zscaler~
GuLoader malware uses advanced polymorphic code and exception-based control flow obfuscation to deliver secondary payloads like RATs and info-stealers.
-
IOCs: (None identified)
-
#GuLoader #Malware #ThreatIntel

Screenshot of my blog post with the files and information from this infection.

Screenshot of the email with an attached RAR archive.

The malware, extracted from the attached RAR archive.

Traffic from the infection filtered in Wireshark.

2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration. A #pcap of the infection traffic, associated files, and a list of indicators are available at www.malware-traffic-analysis.net/2026/02/03/i...

Fake Employee Reports Spread Guloader and Remcos RAT Malware Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

Read: hackread.com/fake-employe...

#Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

Fake Employee Reports Spread Guloader and Remcos RAT Malware Scammers are using fake October 2025 performance reviews to trick staff into installing Guloader and Remcos RAT malware. Learn how to identify this threat and protect your personal data from remote hackers.

Microsoft documenta una serie di attacchi phishing a tema fiscale che sfruttano l’IRS per installare malware come Latrodectus, BRc4 e Remcos

#AHKBot #BRc4 #cybercrime #guloader #IRS #Latrodectus #malware #PHISHING #RaccoonO365 #Remcos
www.matricedigitale.it/sicurezza-in...

Screenshot of the email with the malicious attachment containing GuLoader for Remcos RAT

Traffic from the infection by GuLoader for Remcos RAT filtered in Wireshark. The Remcos RAT C2 server for HTTPS traffic over TCP port 9090 uses a self-signed certficate.

2025-03-24 (Monday): #GuLoader for #Remcos #RAT ( #RemcosRAT ) distributed through email - More info at github.com/malware-traf...

Screenshot of the email and the associated malware as an attached file.

Traffic from the infection filtered in Wireshark.

2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at bazaar.abuse.ch/sample/833aa...

For some reason, I keep mis-typing #GuLoader as GuiLoader

ACCE Release Notes v2.8.20241126 – Cipher Tech Solutions, Inc.

The latest release for ACCE is available with updated support for #HijackLoader #GuLoader #VeilShell #CakeDropper and more. www.ciphertechsolutions.com/acce-release...

agenttesla | 71b66878e07f7fd1f045ee86c04af2d1ea63717de005893b04741b0fb236bf92 | Triage Check this agenttesla report malware sample 71b66878e07f7fd1f045ee86c04af2d1ea63717de005893b04741b0fb236bf92, with a score of 10 out of 10.

#AgentTesla (dropped by #GuLoader .vbs file [1]) is using the PowerShell framework Pester [2] to enumerate the victim host and evade detections. It's also running the BitsTransfer PowerShell module in a loop to download further stages from Google Drive [3] (Viru.aaf .... subtle 😂).

Our latest Release notes for ACCE v2.2.20231027 are live. www.ciphertechsolutions.com/acce-release... #LoreCrypter #RecordBreaker #ChargeWeapon #REF5961 #GuLoader #HijackLoader