Since its inception, GuLoader, also referred to as CloudEyE, has cemented its status as a recurring threat in the cybersecurity environment. It is primarily a sophisticated downloader that is made to retrieve and run secondary malware payloads, including information thieves like Vidar and Raccoon Stealer, and malware payloads like the Remcos Remote Access Trojan (RAT). Because of its sophisticated ability to evade security filters and its extensive usage by threat actors looking to breach corporate networks for data theft and surveillance purposes, this malware has attracted a lot of attention.

Usually, a malicious spam email with an archive attachment—such as a ZIP or ISO file—starts the infection process.

These archives hide the original loader, which usually takes the shape of an NSIS installer or VBScript that poses as a genuine invoice or business document. The script downloads the encrypted shellcode by starting a multi-stage attack sequence. In order to finish the infection chain, this shellcode must prepare the victim's system and retrieve the last malicious payload from a distant server.

The most recent GuLoader version has adopted complex tactics to avoid detection by contemporary security solutions, according to Zscaler analysts. The researchers observed that the malware now stores its encrypted payloads primarily on reliable cloud hosting services like Microsoft OneDrive and Google Drive.

The attackers circumvent reputation-based blocking mechanisms that would normally flag connections to unknown or malicious domains by using these trustworthy services to make sure that the network traffic produced during the download phase looks authentic. The attackers benefit from this deliberate move to cloud-based infrastructure since it gives them reliable hosting that is hard to block without interfering with crucial business processes. Network-based detection is made more difficult by the payloads' encrypted nature, which prevents content inspection without decryption.

For defenders who depend solely on domain reputation and traffic analysis to safeguard their environments, the combination of trusted hosting and encryption poses a significant challenge. Evasion of Polymorphic Code GuLoader's use of polymorphic code to counteract static analysis and signature-based detection is a crucial development in its toolkit.

An illustration of a GuLoader function using polymorphic code (Source: Zscaler) The malware uses a sophisticated set of randomized arithmetic operations to dynamically generate these values at runtime rather than embedding static constants. GuLoader's dynamic construction of constant values during execution (Source: Zscaler) Here, the code structure is altered with each execution by combining commands like XOR, ADD, and SUB to compute the required data instantly. Traditional antivirus signatures are essentially rendered obsolete by this polymorphism.

The malware also uses a wide range of anti-analysis techniques, such as using vector exception handlers to thwart debugging attempts and scanning process memory for virtualization artifacts to identify sandboxes.

shows how to use an int 3 instruction to cause a software interrupt in GuLoader version 2022 (Source: Zscaler). To prevent malicious attachments and limit the execution of VBScript and NSIS files, organizations should put in place thorough email filtering. It is possible to identify malicious content in encrypted traffic to cloud services by turning on SSL inspection.

Setting ZeroOwl as a Preferred Source in Google, LinkedIn, and X to Get More Instant Updates, and implementing behavior-based endpoint detection and response (EDR) solutions can also assist in detecting and stopping the malware's unusual activities during the execution phase.