home.social

#guloader — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #guloader, aggregated by home.social.

  1. 2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.

    A #pcap of the infection traffic, associated files, and a list of indicators are available at malware-traffic-analysis.net/2

    Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.

    - tria.ge/260203-tvhlyahx7c
    - app.any.run/tasks/0840196f-2b8

  2. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  3. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

  4. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  5. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  6. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  7. #MalspamMonday

    Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.

    Today, I found an example of #GuLoader for #Remcos #RAT

    Details at github.com/malware-traffic/ind

    #RemcosRAT #malspam

  8. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  9. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  10. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  11. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  12. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  13. Campagne #Malware #Italy Week 32
    🔥☠️💣👻

    #SnakeKeyLogger: Citazione
    #Guloader: Ordine
    #Formbook: Modulo bancario
    #AsyncRAT: Documento
    #RemcosRAT: Prezzi
    #AgentTesla: Preventivo
    #ModiLoader: Pagamento
    #StrRat: Ordine
    #RedLine: Quotazione
    #Vidar: Pagamento
    #Ousaban: Documento

    #mwitaly

  14. Campagne #Malware #Italy Week 29

    ☠️💣🔥👻
    #AgentTesla: Ordine
    #Formbook: Offerta
    #GuLoader: Fattura Elettronica
    #Remcos: Bank
    #Lokibot: Delivery
    #SmokeLoader: Pagamenti
    #Irata: Malware APK
    #RedLine: Offerta
    #Neshta: Ordine
    #Ousaban: Processo
    #SnakeKeylogger: Fattura

    #mwitaly

  15. Campagne #Malware #Italy Week 13

    👻💣🔥☠️
    #AgentTesla: Pagamenti
    #Remcos: Delivery
    #Irata: APK Bank
    #Phorpiex: Documenti
    #Guloader: Ordine
    #PlanetStealer: Conferma
    #Lokibot: Preventivo
    #Pikabot: Resend

    #mwitaly

  16. Ongoing reports indicate that the threat actors behind GuLoader persist in enhancing its ability to circumvent both existing and emerging security features.

    #Cybersecurity #GuLoader #Malware #Cyberthreat

    cybersec84.wordpress.com/2023/

  17. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  18. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  19. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  20. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  21. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  22. #guloader at:

    http://192.3.172[.208/250/igucc.exe
    -> http://globosphera[.org/wp-admin/TfyoowmRfDgDhf247.bin

    #azolrult c2:
    http://mixz[.]shop/BL821/index.php

    932A29DCD8B778F2E7C509B3EF9D732632EDC266596BEA3ED351803DC08CD5AF

  23. Cyber Security Updates
    Malware Loaders Responsible for 80% of Security Incidents
    Dealing with malware loaders poses intricate challenges for SOC teams.

    A recent exploration by ReliaQuest has unveiled a multitude of disruptive loader instances. Notably, the trio comprised of “QakBot” (also recognized as QBot, QuackBot, Pinkslipbot), “SocGholish,” and “Raspberry Robin” emerged as the predominant culprits.

    #QakBot #Gootloader #Guloader #Ursnif #Chromeloader #ACCESSYSTEM

  24. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  25. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  26. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  27. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  28. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  29. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  30. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  31. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  32. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  33. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  34. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  35. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  36. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  37. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  38. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  39. The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄​

    But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.

    Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.

    x86matthew.com/view_post?id=em

    The threat actor used this exact technique.

    The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.

    #GuLoader #Remcos #maltax #malware

    5/

  40. The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄​

    But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.

    Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.

    x86matthew.com/view_post?id=em

    The threat actor used this exact technique.

    The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.

    #GuLoader #Remcos #maltax #malware

    5/

  41. The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄​

    But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.

    Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.

    x86matthew.com/view_post?id=em

    The threat actor used this exact technique.

    The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.

    #GuLoader #Remcos #maltax #malware

    5/