Threat Research

Guloader Malware Being Disguised as Employee Performance Reports

Ahnlab
Guloader Malware Being Disguised as Employee Performance Reports

AhnLab ASEC discovered Guloader being distributed via phishing emails that impersonate an employee performance report and include a RAR attachment containing an NSIS executable named “staff record pdf.exe” which can be mistaken for a PDF. The executable downloads shellcode from a Google Drive URL and loads Remcos RAT in memory, enabling remote control features such as keylogging, screenshot and webcam/microphone capture, and browser credential extraction. #Guloader #Remcos

Keypoints

  • ASEC identified Guloader delivered through phishing emails claiming to be an October 2025 employee performance report and referencing planned dismissals to prompt opening the attachment.
  • The attachment is a RAR archive containing an NSIS-built executable named “staff record pdf.exe” which may appear as a PDF if extensions are hidden.
  • When executed, the Guloader sample downloads and loads shellcode from a Google Drive URL into memory.
  • The final payload deployed by the shellcode is Remcos RAT, providing full remote access and surveillance capabilities.
  • Remcos RAT’s functions described include keylogging, screenshot capture, webcam and microphone control, and extraction of browser histories and passwords.
  • Observed IOCs include the Google Drive download URL, a Remcos RAT C2 IP with ports, and an MD5 file hash for the malicious executable.

MITRE Techniques

  • [T1566 ] Phishing – Delivery via deceptive email: ‘phishing emails disguised as an employee performance report.’
  • [T1204.002 ] User Execution: Malicious File – Victim execution of a bundled executable: ‘The attached file is a compressed file in RAR format, and it contains an NSIS executable file named “staff record pdf.exe” inside.’
  • [T1036 ] Masquerading – Filename used to appear legitimate and trick users: ‘If the extension is not displayed, there is a risk of being mistaken for a PDF document and being executed.’
  • [T1102 ] Web Service – Use of a legitimate cloud service to host/download payload: ‘hxxps://drive.google[.]com/uc?export=download&id=1bzvByYrIHy24oMCIX7Cv41gP9ZY3pRsgv.’
  • [T1055 ] Process Injection – In-memory execution of downloaded shellcode: ‘When executed, it loads and executes the shellcode located in the C2 below into memory.’
  • [T1219 ] Remote Access Software – Deployment of Remcos RAT to provide remote control: ‘The final malware that is executed is Remcos RAT.’
  • [T1056.001 ] Input Capture: Keylogging – Theft of typed data via keylogging: ‘keylogging.’
  • [T1113 ] Screen Capture – Capturing screenshots of the infected system: ‘capturing screenshots.’
  • [T1123 ] Audio Capture / Video Capture – Control of microphones and webcams for surveillance: ‘controlling webcams and microphones.’
  • [T1555.003 ] Credentials from Web Browsers – Extraction of stored browser passwords and histories: ‘extracting browser histories and passwords from the installed system.’

Indicators of Compromise

  • [URL ] Shellcode hosting and download – hxxps://drive.google[.]com/uc?export=download&id=1bzvByYrIHy24oMCIX7Cv41gP9ZY3pRsgv
  • [IP address ] Remcos RAT C2 – 196.251.116[.]219:2404,5000
  • [File Hash ] Malicious executable MD5 – c95f2a7556902302f352c97b7eed4159
  • [File Name ] Attached archive and executable – ‘staff record pdf.exe’ (NSIS executable), RAR archive containing the executable

Read more: https://asec.ahnlab.com/en/91825/