#guloader — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #guloader, aggregated by home.social.
-
Technical Analysis of GuLoader Obfuscation Techniques
#Guloader
https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques -
2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.
A #pcap of the infection traffic, associated files, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/02/03/index.html
Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.
- https://tria.ge/260203-tvhlyahx7c
- https://app.any.run/tasks/0840196f-2b8f-415c-8ca7-af0c8f394b0d -
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.
Today, I found an example of #GuLoader for #Remcos #RAT
Details at https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt
-
2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
Campagne #Malware #Italy Week 32
🔥☠️💣👻#SnakeKeyLogger: Citazione
#Guloader: Ordine
#Formbook: Modulo bancario
#AsyncRAT: Documento
#RemcosRAT: Prezzi
#AgentTesla: Preventivo
#ModiLoader: Pagamento
#StrRat: Ordine
#RedLine: Quotazione
#Vidar: Pagamento
#Ousaban: Documento -
Campagne #Malware #Italy Week 29
☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura -
Campagne #Malware #Italy Week 13
👻💣🔥☠️
#AgentTesla: Pagamenti
#Remcos: Delivery
#Irata: APK Bank
#Phorpiex: Documenti
#Guloader: Ordine
#PlanetStealer: Conferma
#Lokibot: Preventivo
#Pikabot: Resend -
Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques
https://thehackernews.com/2023/12/researchers-unveal-guloader-malwares.html #Cybercrime #Malware #GuLoader -
Ongoing reports indicate that the threat actors behind GuLoader persist in enhancing its ability to circumvent both existing and emerging security features.
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
"🔐 GuLoader's New Identity: The Protector 🎭"
GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️♂️🔒
🔗 Source: Check Point Research
🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity
-
-
Cyber Security Updates
Malware Loaders Responsible for 80% of Security Incidents
Dealing with malware loaders poses intricate challenges for SOC teams.A recent exploration by ReliaQuest has unveiled a multitude of disruptive loader instances. Notably, the trio comprised of “QakBot” (also recognized as QBot, QuackBot, Pinkslipbot), “SocGholish,” and “Raspberry Robin” emerged as the predominant culprits.
#QakBot #Gootloader #Guloader #Ursnif #Chromeloader #ACCESSYSTEM
-
Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #GuloaderYou can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exeIoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.phpPO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c -
ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT https://i5c.us/d29990
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄
But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.
Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.
https://www.x86matthew.com/view_post?id=embed_exe_lnk
The threat actor used this exact technique.
The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.
#GuLoader #Remcos #maltax #malware
5/
-
We did get a copy of the original Zip archive from the #MDR investigation. The attacker (or the cloud provider) had already pulled down the file by the time we got to it but the customer still had a copy. We then began looking for similar files on OSINT sources and found a bunch more.
The Zip files contained two files, each. One is a Windows #shortcut file, and the other was a benign file.
The benign file was an MP3 recording of a live music performance - a file that sounds like someone playing an Oud, the stringed instrument similar to a lute used widely in the middle east. (If any musical aficionados can confirm the instrument or identify the song, reach out to @threatresearch and let him know.)
We've uploaded the recording here: http://sndup.net/dh43
But although the file was legitimately an MP3, you can see they were named with the wrong file suffix. If you double-click the benign file, Windows says it can't open it. So it encourages the recipient to double-click the other icon, the one that looks like it's supposed to be a PDF document.
It wasn't a PDF document.
4/
-
In the case of this infection, the attacker didn't send anything malicious until the person they contacted replied to this benign "introduction"/solicitation email. It was smart because it kept them off the radar for our #spam traps.
The link pointed to a file hosted in a large cloud storage provider. The file was a password-protected Zip archive, and all the archives we came across used the same password: Fresh@123
The Zip's contents were pretty weird, and then it got weirder.
3/
-
@SophosXOps First found out about the campaign when one of the affected companies reached out to us about alerts they were seeing on their dashboard. The #Sophos #MDR team began to investigate, found the #malware immediately, collected evidence, and removed it. It would have been a fairly boring, mundane story of #malware cleanup but then we found out about the way the target was initially infected.
The threat actor sent a moderately generic, entirely benign email to the tax preparation firm asking them if they're taking on new clients. There was no malicious attachment or link, just a conversational, chatty email from the kind of person who might, actually, be a prospective client to a tax preparer.
2/
-
Hey everybody, it's @threatresearch taking control of the Sophos X-Ops Mastodon feed with an update about the #research I've been working on for several weeks with my Labs and #MDR colleagues, just published this morning.
In February, a #tax #accounting firm reached out to us about a strange email exchange they had (and the aftermath), and the more we started digging, the more we found.
The big takeaway is that an unknown threat actor group appears to have been targeting the kinds of small- to medium-sized businesses that perform tax preparation services in the United States with a social engineering method that kept their activities under the radar...until it delivered #malware to those targets. The campaign seemed to start in late January and has ramped up significantly in the past few weeks. There are thousands of CPA and accounting businesses in the US and this is their busiest time of the year, and they handle a lot of financially sensitive documents.
The delivery method was a type of malware called #GuLoader, and the payload was a commodity #RAT malware called #remcos
A short thread begins here:
https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/
-
Several #ecommerce industries in South Korea and the United States are being targeted by a #GuLoader #malware campaign, according to a report from #cybersecurity firm Trellix. https://andreafortuna.org/2023/02/06/guloader-new-version-uses-nullsoft-scriptable-install-system?utm_source=dlvr.it&utm_medium=mastodon
-
📬Phishing-Mails: Vermeintlicher „Jens Spahn“ verschickt Schadsoftware📬 https://tarnkappe.info/phishing-mails-vermeintlicher-jens-spahn-verschickt-schadsoftware/ #Trojan.GuLoader #Phishing-Mails #GüntherEnnen #JensSpahn #GuLoader #Hacking #CERT
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
@GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.
It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.
We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.
7/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/
-
What's up with that #GuLoader URL?
The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.
It turns out that this is a variation of the so-called #dotless IP address format.
Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1087 aka MS98-016) describes this bug and the strange formatting of the URL.
Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.
The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.
Just another weirdness and we haven't even gotten to the malware, itself.
#GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE
6/