ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool GuLoader

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GuLoader

NamesGuLoader
vbdropper
CloudEyE
CategoryMalware
TypeLoader
Description(Proofpoint) Proofpoint researchers have observed a new downloader in the wild that we and other researchers are calling “GuLoader.” Our researchers first observed GuLoader in late December 2019 being used to deliver Parallax RAT, which itself had recently been released. While we regularly observe new loaders, GuLoader has gained popularity quickly and is in active use by multiple threat actors. GuLoader is a downloader, written partly in VB6, which typically stores its encrypted payloads on Google Drive or Microsoft OneDrive (underscoring that threat actors continue to adopt the cloud just like legitimate businesses are).

GuLoader is a portable executable (PE) file that is often observed embedded in a container file such as an .iso or .rar file. We have also observed it being downloaded directly from various cloud hosting platforms. GuLoader is used predominantly to download remote access Trojans (RATs) and information stealers such as Agent Tesla/Origin Logger, Formbook, NanoCore RAT, NetWire RC, RemcosRAT, Ave Maria/Warzone RAT and Parallax RAT.
Information<https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services>
<https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caught-using-guloader-after-service-relaunch/>
<https://www.deepinstinct.com/blog/-down-loaded-by-guloader-malware>
<https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/>
<https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/>
<https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html>
<https://www.esentire.com/blog/guloader-targeting-the-financial-sector-using-a-tax-themed-phishing-lure>
<https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment>
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/>
<https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us>
<https://asec.ahnlab.com/en/55978/>
<https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader>
<https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/>
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/>
MITRE ATT&CK<https://attack.mitre.org/software/S0561/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye>
<https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:guloader>

Last change to this tool card: 07 March 2024

Download this tool card in JSON format

All groups using tool GuLoader

ChangedNameCountryObserved

APT groups

 DarkCasino[Unknown]2021 
 RATicate[Unknown]2019 

2 groups listed (2 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]