Threat Research

Getting gooey with GULOADER: deobfuscating the downloader — Elastic Security Labs

Securonix

Elastic Security Labs documents GULOADER (also known as CloudEyE), a long-running evasive shellcode downloader that continually evolves its anti-analysis techniques. The article details how it unpacks and decrypts shellcode from NSIS installers, uses VEH-based obfuscation, and outlines methods to patch VEH to ease analysis.
Read more: https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader

Keypoints

  • GULOADER is an evasive shellcode downloader also called CloudEyE, with a long activity history and ongoing development.
  • Recent campaigns add exceptions to its Vectored Exception Handler (VEH), increasing anti-analysis complexity.
  • The NSIS installer drops components like System.dll and encrypted shellcode, which is read from the filesystem (e.g., Fibroms.Hag).
  • GULOADER avoids traditional process-injection APIs by using callbacks, leveraging EnumResourceTypesA and CallWindowProcW.
  • Researchers locate the main shellcode entrypoint via graph views and reverse-engineering tools (e.g., x64dbg and Miasm) to unwind obfuscated flow.
  • Patch-based control-flow cleaning (via VEH bypass) with TinyTracer and IDAPython scripts can flatten CFG and speed analysis.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The shellcode is encrypted and obfuscated; “The encrypted shellcode is buried into a nested folder.”‘
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – VEH is extended with new exceptions to hinder analysis; “‘adding exceptions to its Vectored Exception Handler (VEH)’.”‘
  • [T1574] Hijack Execution Flow – The shellcode modifies execution flow by altering EIP via the CONTEXT record; “‘modify the EIP directly through the CONTEXT structure using a one-byte XOR key (changes per sample) with a one-byte offset from where the exception occurred.’”
  • [T1106] Native API – The loader uses Windows APIs such as EnumResourceTypesA and CallWindowProcW to execute code; “‘EnumResourceTypesA and CallWindowProcW used by GULOADER.’”
  • [T1105] Ingress Tool Transfer – Shellcode is read from disk during execution; “‘shellcode is read in from a file (Fibroms.Hag).’”

Indicators of Compromise

  • [SHA-256] Windows.Trojan.Guloader – 6ae7089aa6beaa09b1c3aa3ecf28a884d8ca84f780aab39902223721493b1f99
  • [URL] GULOADER C2 URL – 101.99.75[.]183/MfoGYZkxZIl205.bin
  • [IPv4-addr] GULOADER C2 IP – 101.99.75[.]183

Read more: https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader