#guloader — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #guloader, aggregated by home.social.
-
Technical Analysis of GuLoader Obfuscation Techniques
#Guloader
https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques -
2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.
A #pcap of the infection traffic, associated files, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/02/03/index.html
Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.
- https://tria.ge/260203-tvhlyahx7c
- https://app.any.run/tasks/0840196f-2b8f-415c-8ca7-af0c8f394b0d -
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.
Today, I found an example of #GuLoader for #Remcos #RAT
Details at https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt
-
2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
Campagne #Malware #Italy Week 32
🔥☠️💣👻#SnakeKeyLogger: Citazione
#Guloader: Ordine
#Formbook: Modulo bancario
#AsyncRAT: Documento
#RemcosRAT: Prezzi
#AgentTesla: Preventivo
#ModiLoader: Pagamento
#StrRat: Ordine
#RedLine: Quotazione
#Vidar: Pagamento
#Ousaban: Documento -
Campagne #Malware #Italy Week 29
☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura -
Campagne #Malware #Italy Week 13
👻💣🔥☠️
#AgentTesla: Pagamenti
#Remcos: Delivery
#Irata: APK Bank
#Phorpiex: Documenti
#Guloader: Ordine
#PlanetStealer: Conferma
#Lokibot: Preventivo
#Pikabot: Resend -
Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques
https://thehackernews.com/2023/12/researchers-unveal-guloader-malwares.html #Cybercrime #Malware #GuLoader -
Ongoing reports indicate that the threat actors behind GuLoader persist in enhancing its ability to circumvent both existing and emerging security features.
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
-
Cyber Security Updates
Malware Loaders Responsible for 80% of Security Incidents
Dealing with malware loaders poses intricate challenges for SOC teams.A recent exploration by ReliaQuest has unveiled a multitude of disruptive loader instances. Notably, the trio comprised of “QakBot” (also recognized as QBot, QuackBot, Pinkslipbot), “SocGholish,” and “Raspberry Robin” emerged as the predominant culprits.
#QakBot #Gootloader #Guloader #Ursnif #Chromeloader #ACCESSYSTEM
-
ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT https://i5c.us/d29990
-
ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT https://i5c.us/d29990
-
ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT https://i5c.us/d29990
-
ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT https://i5c.us/d29990
-
ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT https://i5c.us/d29990
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄
But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.
Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.
https://www.x86matthew.com/view_post?id=embed_exe_lnk
The threat actor used this exact technique.
The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.
#GuLoader #Remcos #maltax #malware
5/
-
The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄
But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.
Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.
https://www.x86matthew.com/view_post?id=embed_exe_lnk
The threat actor used this exact technique.
The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.
#GuLoader #Remcos #maltax #malware
5/
-
The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄
But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.
Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.
https://www.x86matthew.com/view_post?id=embed_exe_lnk
The threat actor used this exact technique.
The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.
#GuLoader #Remcos #maltax #malware
5/