Since 2019, GuLoader malware has been a major downloader of RATs and stealers, continuing to afflict systems. Its extensive use of shape-shifting code and secure cloud hides to get past defenses is revealed by recent Zscaler analysis. Additional exception tricks in new variants propagated through spam are highlighted in a SonicWall study.

Exceptions and Shape-Shifting Code GuLoader uses a combination of mov, xor, add, and sub assembly operations to construct important values, like addresses or sizes, in real time. Lack of fixed numbers makes it difficult for scanners to identify patterns. When forced CPU faults arise, it avoids direct jumps. first uses RtlAddVectoredExceptionHandler to set a Vectored Exception Handler (VEH).

Next, write code that causes errors like bad accesses or breakpoints. The handler retrieves EXCEPTION_POINTERS: Context for registers such as EIP, and ExceptionRecord for code/type.

It patches EIP, checks debug flags, crunches offsets (typically XOR two bytes ahead), and then resumes. provides an illustration of how GuLoader dynamically creates constant values while it is running (Source: zscaler). 2022 Breakpoint (0x80000003): Affects int 3 (0xCC).

The handler checks for debug breakpoints at the target (early anti-debug), jumps, and XORs the next byte with a fixed key. 2023 Single-Step (0x80000004): POPFD flips Trap Flag bit 8 after PUSHFD copies EFLAGS and adds 0x100. An exception is thrown by the next instruction; this is offset by two bytes. 2023 Access Violation (0xC0000005): Writes to low memory, such as 0x0 or less than 0x10000.

The handler XORs the offset and uses the exception information for the fault address. 2024-25 Illegal Instr: Executes invalid operations (0xC000001D).

Dynamic XOR key (e.g., 0x85) from breakpoint check function 2024-25, and fixed handler offset (e.g., 0x23) to encrypted byte Privileged Instr (0xC0000096): As before, only ring-0 operations are in user mode. According to deobfuscators, the handler calls more than 1100 times in samples. Versions that were released later scan targets for 0xCC to avoid debuggers.

shows how to use an int 3 instruction to cause a software interrupt in GuLoader version 2022. (Source: zscaler) Dynamic DJB2 hashes for processes and APIs: calculates the hash, matches the list, and XORs using the DWORD constant. stops static signals. XOR is used to encrypt strings.

2022: Static in shellcode; CALL pushes the string addr, ASCII flag (0/1), calls simple_xor_bufs, computes size such as ((0x34BB49B7 – 0x6774883) ^ 0x34EC7B91) – 0x1AA87A69 = 0x3C, and pushes the key addr. The length is stored in the first DWORD, a distinct XOR key.

2023+: A polymorphic stack creates a string or key by moving, xoring, adding, and substructing constants, followed by XOR. The best method for decrypting is emulation. Zscaler/GitHub IDA scripts flatten the flow and unpack strings and constants.

An illustration of GuLoader's exception handler found in 2022 samples (Source: zscaler) RARs with NSIS droppers are examples of cloud delivery and payload chain spreads through malspam. NSIS unpacks shellcode layers and DLLs (System.dll exports "Call," for example). The DLL is called by Layer 1 NSIS.Call: Distributes copies and memor Layer 2 shellcode from a file such as Hangarer.Indirect exec via CallWindowProcW with lpPrevWndFunc hook, man offset 0x409. At offset 0x1C9, Layer 2 decrypts Layer 3 (main GuLoader) and intervenes.

An illustration of GuLoader's exception handler found in 2023 samples (Source: zscaler) As an XOR key for the payload from a C2 URL (which is itself an encrypted string), it decrypts a large binary string (>0x300B). Reps are evaded by URLs that are frequently from Google and OneDrive. releases stealers (AgentTesla, RedLine) and RATs (Remcos, Azorult).

SonicWall received the final payload from Azorult, d5af42b118d0597c6b71831f2b2ebc8294eca907481d53939563fce7c0f14767, from hxxp://lena[.]utf[.]by/…/kdRrHFMqRUIujuOy126[.]bin. Anti-VM/debug/emu: Indirect calls, stack strings, API hook checks, junk code, and phony instructions. Phishing, such as HR documents, will continue until 2026. Zscaler uses Win32's multilayer rules and sandbox to catch.downloader.GuLoader.

ThreatLabz IOCs: Hash Version 90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95 2022 274329db2d871d43eed704af632101c6939227d36f4a04229e14603f72be9303 2022 4be24d314fc9b2c9f8dbae1c185e2214db0522dcc480ba140657b635745e997b 2023 0bcc5819a83a3ad0257a4fe232e7727d2f3d04e6f74c6d0b9e4dfe387af58067 2023 7fccb9545a51bb6d40e9c78bf9bc51dc2d2a78a27b81bf1c077eaf405cbba6e9 2024 53bad49e755725c8d041dfaa326e705a221cd9ac3ec99292e441decd719b501d 2024