home.social

#guloader — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #guloader, aggregated by home.social.

  1. 2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.

    A #pcap of the infection traffic, associated files, and a list of indicators are available at malware-traffic-analysis.net/2

    Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.

    - tria.ge/260203-tvhlyahx7c
    - app.any.run/tasks/0840196f-2b8

  2. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  3. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

  4. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  5. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  6. Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

    Read: hackread.com/fake-employee-rep

    #Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

  7. #MalspamMonday

    Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.

    Today, I found an example of #GuLoader for #Remcos #RAT

    Details at github.com/malware-traffic/ind

    #RemcosRAT #malspam

  8. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  9. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  10. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  11. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  12. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  13. Campagne #Malware #Italy Week 32
    🔥☠️💣👻

    #SnakeKeyLogger: Citazione
    #Guloader: Ordine
    #Formbook: Modulo bancario
    #AsyncRAT: Documento
    #RemcosRAT: Prezzi
    #AgentTesla: Preventivo
    #ModiLoader: Pagamento
    #StrRat: Ordine
    #RedLine: Quotazione
    #Vidar: Pagamento
    #Ousaban: Documento

    #mwitaly

  14. Campagne #Malware #Italy Week 29

    ☠️💣🔥👻
    #AgentTesla: Ordine
    #Formbook: Offerta
    #GuLoader: Fattura Elettronica
    #Remcos: Bank
    #Lokibot: Delivery
    #SmokeLoader: Pagamenti
    #Irata: Malware APK
    #RedLine: Offerta
    #Neshta: Ordine
    #Ousaban: Processo
    #SnakeKeylogger: Fattura

    #mwitaly

  15. Campagne #Malware #Italy Week 13

    👻💣🔥☠️
    #AgentTesla: Pagamenti
    #Remcos: Delivery
    #Irata: APK Bank
    #Phorpiex: Documenti
    #Guloader: Ordine
    #PlanetStealer: Conferma
    #Lokibot: Preventivo
    #Pikabot: Resend

    #mwitaly

  16. Ongoing reports indicate that the threat actors behind GuLoader persist in enhancing its ability to circumvent both existing and emerging security features.

    #Cybersecurity #GuLoader #Malware #Cyberthreat

    cybersec84.wordpress.com/2023/

  17. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  18. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  19. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  20. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  21. "🔐 GuLoader's New Identity: The Protector 🎭"

    GuLoader is now being sold under the name "The Protector" on the same platform as Remcos. It's advertised as a crypter that makes its payload fully undetectable by antiviruses (FUD). 🕵️‍♂️🔒

    🔗 Source: Check Point Research

    🏷️ Tags: #GuLoader #TheProtector #FUD #Crypter #CyberSecurity

  22. #guloader at:

    http://192.3.172[.208/250/igucc.exe
    -> http://globosphera[.org/wp-admin/TfyoowmRfDgDhf247.bin

    #azolrult c2:
    http://mixz[.]shop/BL821/index.php

    932A29DCD8B778F2E7C509B3EF9D732632EDC266596BEA3ED351803DC08CD5AF

  23. Cyber Security Updates
    Malware Loaders Responsible for 80% of Security Incidents
    Dealing with malware loaders poses intricate challenges for SOC teams.

    A recent exploration by ReliaQuest has unveiled a multitude of disruptive loader instances. Notably, the trio comprised of “QakBot” (also recognized as QBot, QuackBot, Pinkslipbot), “SocGholish,” and “Raspberry Robin” emerged as the predominant culprits.

    #QakBot #Gootloader #Guloader #Ursnif #Chromeloader #ACCESSYSTEM

  24. Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
    ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

    You can recognize ARJ archives by their Magic: 60 EA
    Extraction can be handled with 7zip for example.
    For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

    As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
    To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

    IoC for those playing along at home:
    162.0.223[.]13
    kbfvzoboss[.]bid
    alphastand[.]trade
    alphastand[.]win
    alphastand[.]top
    ➡️/alien/fre.php

    PO_Payment for invoice[...].eml.arj
    d0c8824d1e19ca1af0b88a477fa4cad6

    SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
    88bdf4f8fe035276da984c370e4cda2c

    #infosec #cybersecurity #blueteam

  25. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  26. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  27. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  28. The Windows #shortcut pointed to a #PowerShell command. Obviously, because that's totally normal, right? 🙄​

    But the shortcut had been modified so that the Target field in its Properties sheet appeared blank.

    Apparently there's a little bug in Windows. Microsoft already knows about it, because it was revealed in a blog post by researcher @[email protected] a year ago. If you mess around with a shortcut and prepend a big chunk of "space" characters, the Target field still works but the command will be hidden from the end user.

    x86matthew.com/view_post?id=em

    The threat actor used this exact technique.

    The command executed by the Windows shortcut is a PowerShell "Invoke-WebRequest" download of a VBS.

    #GuLoader #Remcos #maltax #malware

    5/

  29. We did get a copy of the original Zip archive from the #MDR investigation. The attacker (or the cloud provider) had already pulled down the file by the time we got to it but the customer still had a copy. We then began looking for similar files on OSINT sources and found a bunch more.

    The Zip files contained two files, each. One is a Windows #shortcut file, and the other was a benign file.

    The benign file was an MP3 recording of a live music performance - a file that sounds like someone playing an Oud, the stringed instrument similar to a lute used widely in the middle east. (If any musical aficionados can confirm the instrument or identify the song, reach out to @threatresearch and let him know.)

    We've uploaded the recording here: sndup.net/dh43

    But although the file was legitimately an MP3, you can see they were named with the wrong file suffix. If you double-click the benign file, Windows says it can't open it. So it encourages the recipient to double-click the other icon, the one that looks like it's supposed to be a PDF document.

    It wasn't a PDF document.

    #GuLoader #Remcos #maltax

    4/

  30. In the case of this infection, the attacker didn't send anything malicious until the person they contacted replied to this benign "introduction"/solicitation email. It was smart because it kept them off the radar for our #spam traps.

    The link pointed to a file hosted in a large cloud storage provider. The file was a password-protected Zip archive, and all the archives we came across used the same password: Fresh@123

    The Zip's contents were pretty weird, and then it got weirder.

    #GuLoader #Remcos #maltax

    3/

  31. @SophosXOps First found out about the campaign when one of the affected companies reached out to us about alerts they were seeing on their dashboard. The #Sophos #MDR team began to investigate, found the #malware immediately, collected evidence, and removed it. It would have been a fairly boring, mundane story of #malware cleanup but then we found out about the way the target was initially infected.

    The threat actor sent a moderately generic, entirely benign email to the tax preparation firm asking them if they're taking on new clients. There was no malicious attachment or link, just a conversational, chatty email from the kind of person who might, actually, be a prospective client to a tax preparer.

    #GuLoader #Remcos #maltax

    2/

  32. Hey everybody, it's @threatresearch taking control of the Sophos X-Ops Mastodon feed with an update about the #research I've been working on for several weeks with my Labs and #MDR colleagues, just published this morning.

    In February, a #tax #accounting firm reached out to us about a strange email exchange they had (and the aftermath), and the more we started digging, the more we found.

    The big takeaway is that an unknown threat actor group appears to have been targeting the kinds of small- to medium-sized businesses that perform tax preparation services in the United States with a social engineering method that kept their activities under the radar...until it delivered #malware to those targets. The campaign seemed to start in late January and has ramped up significantly in the past few weeks. There are thousands of CPA and accounting businesses in the US and this is their busiest time of the year, and they handle a lot of financially sensitive documents.

    The delivery method was a type of malware called #GuLoader, and the payload was a commodity #RAT malware called #remcos

    A short thread begins here:

    news.sophos.com/en-us/2023/04/

  33. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  34. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  35. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  36. @GossiTheDog @da_667 Someone really ought to come up with a practical cloud file sharing solution that will send everything someone puts online through detonation on a private sandbox and makes a determination that the file is safe before permitting others to download it. It's not especially difficult, it's just a complex problem waiting to be solved that nobody wants to tackle. This was one of the things I've been thinking about since finding out about the #GuLoader #maltax story

  37. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  38. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  39. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  40. Here's a tiny slice of what was on the other end of that extremely weird PowerShell command line.

    It's a Visual Basic Script (aka #VBScript) that is chock-full of obfuscatory badness. Long, word-salad variable names; Giant blocks of encoded data broken into dozens of smaller chunks, with a script to concatenate them back into a big data blob, convert them, and deploy. This is the main #GuLoader infector.

    We go into a lot more detail of how it works in the blog, but the tl;dr is that this script contains the #Remcos #malware payload, part of which it inserts into the Windows Registry in an encoded form. It then sets up a Scheduled Task to invoke a command that retrieves the Registry data, decode it, and then reflectively inject it into legitimate processes, so the malware is never written to the file system of the infected machine.

    #maltax

    7/

  41. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  42. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/

  43. What's up with that #GuLoader URL?

    The command uses a URL format that looks like a hexadecimal value, a dot, and then a decimal number.

    It turns out that this is a variation of the so-called #dotless IP address format.

    Back in 1999, there was a vulnerability in Internet Explorer where someone figured out this very odd bug. CVE-1999-1087 (cve.mitre.org/cgi-bin/cvename. aka MS98-016) describes this bug and the strange formatting of the URL.

    Back then, @threatresearch created a little Excel spreadsheet that shows how to do this conversion. In essence, a dotless IP address is the decimal representation of a hexadecimal representation of the four octets in an IPv4 address.

    The spreadsheet tells the story better than I can with words, so take a look at this screenshot of it, with the update to show how the #GuLoader threat actors have adopted this method. Basically they use the hexadecimal value for the first of the four IPv4 octets, and then the decimal conversion value for the final three octets of the IPv4 address. It's very clever, because there still isn't a very strong understanding of this low-level way that network stacks interpret IPv4 addresses. Apparently PowerShell does interpret it correctly.

    Just another weirdness and we haven't even gotten to the malware, itself.

    #GuLoader #Remcos #maltax #malware #dotlessIP #retroCVE

    6/