Checkpoint researchers expose a dual-use ecosystem where GuLoader and Remcos are marketed as legitimate tools, with GuLoader acting as a crypter to help Remcos evade antivirus and deliver payloads. The investigation ties BreakingSecurity and VgoStore to TheProtect, identifies EMINэM as the operator behind the platforms, and reveals extensive monetization and infrastructure used to distribute malware such as Formbook and Amadey Loader. #GuLoader #Remcos #CloudEyE #TheProtect #BreakingSecurity #VgoStore #EMINэM #Formbook #Amadey
Keypoints
- GuLoader is marketed as a crypter that can render Remcos payloads fully undetectable, enabling Remcos to bypass antivirus defenses.
- Remcos is a feature-rich RAT with capabilities beyond typical remote administration, including MITM functions, password theft, browser history tracking, cookie theft, keylogging, and webcam control.
- The BreakingSecurity and VgoStore ecosystems, led by the operator EMINэM, distribute Remcos, GuLoader under TheProtect, and related tools, with ties to Telegram groups and official websites.
- The Protect offers two protection services (Private Protect and Script Protect) and is demonstrated via videos showing VBScript- or NSIS-based wrappers; the VBScript variant embeds PowerShell with obfuscation.
- Attacks leverage LNK files disguised as PDF documents to lure users into executing payloads, and multi-stage loading via LNK, VBS, and PowerShell to deliver Remcos/GuLoader.
- A wide set of IOCs (IPs, domains, hashes, and URLs) reveal the infrastructure behind BreakingSecurity/VgoStore operations and the distributed malware chain, including Formbook and Amadey components.
MITRE Techniques
- [T1566.001] Phishing – LNK file disguised as a PDF to lure the user into execution. ‘an attack using an LNK file disguised as a PDF.’
- [T1027.002] Obfuscated/Encoded Files and Information – TheLoader uses multi-layer obfuscation and BASE64-encoded data stored in the registry. ‘BASE64-encoded encrypted data stored in the registry.’
- [T1059.001] PowerShell – PowerShell commands/scripts are involved in the delivery chain. ‘powershell.exe process’ and ‘PowerShell scripts with two layers of obfuscation.’
- [T1059.005] Visual Basic (VBScript) – The VBScript contains a PowerShell script and obfuscated payloads used to load GuLoader/Remcos. ‘The VBScript contains a PowerShell script with two layers of obfuscation.’
- [T1105] Ingress Tool Transfer – The chain downloads the GuLoader/Remcos payloads from remote servers via URLs. ‘URL for downloading the GuLoader payload … final payload.’
- [T1056.001] Keylogging – Remcos includes keylogging and other surveillance capabilities. ‘Remcos includes uncommon functionalities such as … keylogging, and webcam control.’
Indicators of Compromise
- [IP Address] – 84.21.172.49:1040; 194.180.48.211; 173.212.217.108; 185.217.1.137; 185.126.237.209
- [Domain] – zab4ever.no-ip.org; vrezvrez.com; tochkaobmena.com; mazancollttyde.business
- [File hash] – 0db693472b4ca6f3ec1effc03d47c288f15ed06b7d4e172f8192047d3e800db1; 7bd663ea34e358050986bde528612039f476f3b315ee169c79359177a8d01e03; 25c45221a9475246e20845430bdd63b513a9a9a73ed447bd7935ff9ecee5a61e; 83df18f8e28f779b19170d2ca707aa3dbcee231736c26f8ba4fbd8768cd26ba6; de11c14925357a978c48c54b3b294d5ab59cffc6efabdae0acd1a17033fe6483; c914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73; 63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8
- [URL] – hxxp://194[.180.48.211/ray/BdNnKAT84.bin; hxxp://194[.180.48.211/zarath/ClgRRi242.bin; hxxp://176.113.115.81/9kdmSxq/index.php; hxxp://38.242.193.23/1.exe; hxxp://194[.180.48.211/nini/EAbsGhbSQL10.aca; hxxp://194[.180.48.211/nini/Leekish.vbs
- [URL] – hxxp:// mazancollttyde.business:7060 (Remcos C2 via 185.126.237.209)