Keypoints
- GuLoader is a long-running shellcode downloader used to deliver Remote Access Trojans (RATs) such as Remcos, NetWire, and AgentTesla.
- The campaign targeted electronic manufacturing, engineering and industrial companies across Europe including Romania, Poland, Germany and Kazakhstan.
- Initial delivery is via spearphishing emails with archive attachments (ISO, 7z, gzip, RAR) that contain batch files and obfuscated PowerShell.
- Obfuscation techniques include junk characters, hex XOR decoding and functions that remove every fifth character to hide payloads.
- Execution includes memory allocation (VirtualAlloc), Marshal.Copy-based shellcode loading, process injection (msiexec.exe) and registry persistence under HKCU.
- Network artifacts show multiple hosting domains and IPs used to retrieve additional payloads; some requests returned 404 at time of analysis.
MITRE Techniques
- [T1566.001] Phishing: Malicious Attachment – Uses spearphishing emails with archive attachments to deliver the initial batch/PowerShell. (‘Utilizes spearphishing emails with malicious attachments to compromise targets.’)
- [T1055] Process Injection – Injects second-stage shellcode into legitimate processes (msiexec.exe) to run payloads. (‘Injects malicious code into legitimate processes to execute payloads.’)
- [T1204.002] User Execution: Malicious File – Relies on recipients opening attached archive files and executing contained batch/PowerShell. (‘Relies on user interaction to execute malicious files.’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persists by writing the original PowerShell into HKCU registry keys. (‘Modifies registry keys for persistence.’)
- [T1140] Deobfuscate/Decode Files or Information – Obfuscated strings and Base64/hex are decoded and reconstructed into executable PowerShell and shellcode. (‘Uses obfuscation techniques to hide malicious code.’)
- [T1622] Debugger Evasion – First-stage shellcode includes anti-debugging techniques to frustrate analysis. (‘Implements techniques to evade debugging tools.’)
- [T1001.001] Junk Code – Obfuscation inserts junk characters and non-functional bytes to confuse static analysis. (‘Inserts non-functional code to confuse analysis.’)
- [T1105] Ingress Tool Transfer – Secondary files and payloads are downloaded from remote domains into AppData/Roaming for later execution. (‘Transfers tools or payloads into the target environment.’)
- [T1059.001] Command and Scripting Interpreter: Powershell – PowerShell scripts (obfuscated then deobfuscated) orchestrate downloads, decoding and shellcode execution. (‘Utilizes PowerShell for executing scripts and commands.’)
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – Timing and anti-analysis checks help the payload evade sandbox/VM detection. (‘Employs timing techniques to evade detection in virtualized environments.’)
- [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP(S) to retrieve secondary payloads and possible C2 communications. (‘Uses web protocols for command and control communications.’)
Indicators of Compromise
- [IP Address] network hosting – 91[.]109.20.161, 137[.]184.191.215, and 1 more IP
- [URLs / Domains] payload hosts – https://careerfinder[.]ro/vn/Traurigheder[.]sea, https://filedn[.]com/…/Frihandelsaftalen40.fla, and 2 more domains/paths
- [File names] malicious delivery files – ZW_PCCE-010023024001.bat, ORDER_1ST.bat, and many other .bat/.iso attachment names
- [SHA256 hashes] sample hashes – 36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374, 26500af5772702324f07c58b04ff703958e7e0b57493276ba91c8fa87b7794ff, and many more
- [Registry entries] persistence keys – HKCUSoftwareProcentagiveless (name “Mannas”), HKCUEnvironment value “Frenetic” (PowerShell path)
- [Process names] legitimate process abused – msiexec.exe (used as injection/launcher)
- [YARA rule] detection signature – GuLoader_Obfuscated_Powershell (rule provided by Cado Security Labs)
Cado Security Labs discovered a targeted GuLoader campaign aimed at European industrial and engineering firms that begins with realistic spearphishing emails containing archive attachments (ISO, 7z, gzip, RAR). The archives contain batch files that drop obfuscated PowerShell; the scripts use multiple layers of evasion (junk characters, hex strings XORed with 173, Base64 slicing) to hide two stages of shellcode stored under AppData/Roaming.
Once deobfuscated, the PowerShell allocates memory (VirtualAlloc), copies shellcode via Marshal.Copy, and executes it. The first shellcode stage includes anti-debugging checks and decrypts a second stage that writes persistence data into HKCU registry keys and injects the final payload into a legitimate process (msiexec.exe). Cado observed network retrieval attempts from multiple domains—typical final payloads for GuLoader campaigns are RATs such as Remcos, NetWire, and AgentTesla.
The report highlights how GuLoader’s multi-stage obfuscation and in-memory execution make detection and analysis difficult and underscores the need for layered defenses: email filtering, attachment execution restrictions, PowerShell logging/ConstrainedLanguageMode, endpoint detection tuned for process injection and unusual registry changes, and network controls to block known hostile hosts.
Read more: https://www.cadosecurity.com/blog/guloader-targeting-european-industrial-companies