Names | GuLoader | |
Category | Malware | |
Type | Loader | |
Description | (Proofpoint) Proofpoint researchers have observed a new downloader in the wild that we and other researchers are calling “GuLoader.” Our researchers first observed GuLoader in late December 2019 being used to deliver Parallax RAT, which itself had recently been released. While we regularly observe new loaders, GuLoader has gained popularity quickly and is in active use by multiple threat actors. GuLoader is a downloader, written partly in VB6, which typically stores its encrypted payloads on Google Drive or Microsoft OneDrive (underscoring that threat actors continue to adopt the cloud just like legitimate businesses are). GuLoader is a portable executable (PE) file that is often observed embedded in a container file such as an .iso or .rar file. We have also observed it being downloaded directly from various cloud hosting platforms. GuLoader is used predominantly to download remote access Trojans (RATs) and information stealers such as Agent Tesla/Origin Logger, Formbook, NanoCore RAT, NetWire RC, RemcosRAT, Ave Maria/Warzone RAT and Parallax RAT. | |
Information | <https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services> <https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caught-using-guloader-after-service-relaunch/> | |
AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:guloader> |
Last change to this tool card: 31 July 2020
Download this tool card in JSON format
Previous: gsecdump
Next: GUP Proxy Tool
Changed | Name | Country | Observed | ||
APT groups | |||||
RATicate | [Unknown] | 2019 |
1 group listed (1 APT, 0 other, 0 unknown)
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1234 | |
![]() |
report@thaicert.or.th | |
![]() |
Download PGP key |