GuLoader (aka CloudEye) is a heavily obfuscated downloader active since late 2019 that uses polymorphic code and exception-based control-flow tricks to hide constants, strings, and execution flow while delivering secondary payloads. The malware frequently hosts payloads on trusted cloud services to evade reputation-based detection. #GuLoader #GoogleDrive
Keypoints
- GuLoader (CloudEye) first observed in December 2019 and remains an active downloader for RATs and information stealers.
- The malware employs polymorphic code to dynamically construct constants and string values at runtime to defeat static analysis and signatures.
- GuLoader replaces standard control-flow jumps with deliberately triggered CPU exceptions (int 3, single-step, access violations, illegal/privileged instructions) and a custom exception handler to redirect execution.
- Over successive versions (2022–2024) GuLoader progressively added support for more exception types and more complex offset and XOR-key calculations to further obfuscate jump targets.
- Strings and payloads are encrypted (simple XOR) and, from 2023 onward, often constructed on the stack via polymorphic operations; payloads are decrypted with binary XOR keys and downloaded from hardcoded URLs.
- Threat actors commonly host payloads on legitimate cloud services such as Google Drive and OneDrive to bypass reputation-based detections; Zscaler detects GuLoader as Win32.Downloader.GuLoader and provides analysis scripts.
MITRE Techniques
- [T1027 ] Obfuscated Files or Information – GuLoader uses polymorphic code, dynamic constant construction, and encrypted strings to hide behavior (‘GuLoader employs polymorphic code to dynamically construct constants during execution.’ )
- [T1105 ] Ingress Tool Transfer – GuLoader downloads and decrypts secondary payloads from hardcoded URLs hosted on cloud services (‘This binary buffer functions as an XOR key, which is used to decrypt a malware payload that is downloaded from a hardcoded URL. The payload’s URL… often points to a shared file hosted on legitimate cloud services like Google Drive or OneDrive.’)
- [T1102 ] Web Service – Threat actors host payloads on legitimate cloud platforms to deliver malware and evade reputation checks (‘…often points to a shared file hosted on legitimate cloud services like Google Drive or OneDrive.’)
- [T1497.001 ] Debugger Evasion – GuLoader deliberately triggers CPU exceptions and includes anti-debugging checks (software breakpoint scanning, single-step exceptions) to thwart analysis (‘GuLoader utilizes a control flow obfuscation technique that replaces standard code jump (jmp) instructions with deliberate CPU exceptions.’ / ‘GuLoader purposefully triggers a single step exception (0x80000004)…’)
- [T1140 ] Deobfuscate/Decode Files or Information – GuLoader decrypts encrypted strings and payloads at runtime (stack-based XOR decryption and polymorphic construction) to obtain C2 domains and payload data (‘GuLoader hides its command-and-control (C2) domains, file paths, and other critical information by encrypting strings with a simple XOR algorithm.’ )
Indicators of Compromise
- [File Hash ] GuLoader sample hashes by version – example: 90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95 (2022), 320224be24d314fc9b2c9f8dbae1c185e2214db05… (2023), and other hashes listed in the report.
- [Detection Name ] Zscaler sandbox/threat name – Win32.Downloader.GuLoader (Zscaler coverage and detections reported in the blog).
- [Cloud-hosted payload URLs ] Hosting platforms used to deliver payloads – shared file URLs on Google Drive, OneDrive (payload URLs are encrypted strings in samples and often point to these services).
Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques