Skip to content
Malware family Windows

GuLoader

GuLoader is a Windows shellcode-based downloader and loader that has been active since at least 2019 and is widely used in commodity malware delivery operations.

Profile source: Mallory opens in a new tab

GuLoader

Family profile

GuLoader is a Windows shellcode-based downloader and loader that has been active since at least 2019 and is widely used in commodity malware delivery operations. It is commonly associated with the delivery of Agent Tesla, FormBook, NetWire, NanoCore, Parallax RAT, Remcos, LokiBot, XLoader, XWorm, VIPKeylogger, and Snake Keylogger/404 Keylogger. GuLoader is frequently wrapped in NSIS installers, VB-based launchers, or VBScript and PowerShell stages, and it is notable for decrypting and executing payloads directly in memory rather than writing final-stage malware to disk. Public cloud and other legitimate web services have repeatedly been abused to host encrypted GuLoader shellcode or downstream payloads.

The malware emphasizes defense evasion and anti-analysis. GuLoader dynamically resolves APIs through hashing, encrypts strings and payloads with XOR-based schemes, and heavily obfuscates control flow. A defining feature of newer variants is exception-driven execution flow using vectored exception handlers. Instead of ordinary branching, GuLoader deliberately triggers breakpoint, single-step, access-violation, and in later variants illegal-instruction and privileged-instruction exceptions, then computes the next execution address inside the handler. This design complicates static analysis, debugging, and signature generation. Additional anti-analysis behavior includes anti-debugging checks, hardware- and software-breakpoint detection, debugger hiding, timing checks, virtualization and sandbox detection, and inspection of system artifacts associated with analysis environments.

GuLoader also supports process injection. Observed variants create a legitimate Windows process in a suspended state and inject shellcode into it before resuming execution; RegAsm has been documented as one donor process. Later shellcode stages then perform network retrieval of encrypted payloads and execute them in memory. This architecture allows GuLoader to function as a flexible malware delivery platform rather than a final payload itself.

Distribution has been observed through phishing and spearphishing campaigns, including malicious Office documents with embedded macros, archive-based lures, NSIS-packaged executables, and job-, invoice-, tax-, shipping-, and order-themed social engineering. More recent activity has also tied GuLoader to web-based fake CAPTCHA and ClickFix-style chains that trick users into launching trusted Windows binaries to load remote content in memory. Financially motivated operators and intrusion clusters have used GuLoader in campaigns targeting businesses across multiple sectors, including banking and other enterprises, with notable reporting on activity affecting African financial institutions and Italian businesses.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Post Exploitation
  • Process Injection

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 19, 2026
Last activity
Jul 19, 2026
Feed role
C2
Host form
1 IP / 0 hostnames

Leading locations

  • LU1

Leading providers

  • Ghosty Networks LLC1

Infrastructure traits

  • Hosting 1

Samples

Recent associated samples

Reported operators

Threat actors

3 named in public reporting
TA558

[☢️Campaign] GuLoader: Using it as a hook to deploy Snake

Storm-0249

Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.

RATicate

"...Visual Basic loaders —including the Guloader malware dropper discovered by Proofpoint on December 2019."

Exploited software

Vulnerabilities linked to GuLoader

1 CVEs

MITRE ATT&CK

GuLoader in ATT&CK

48 distinct techniques

Reporting

Research mentioning GuLoader

Jun 17
Cyber Security News

ClickFix Campaign Uses EtherHiding and GULoader to Infect Windows Users via Fake CAPTCHA

The campaign, first observed in April 2026, begins on a compromised European small-business website and ends with an attempt to load GULoader, a memory-based malware downloader, onto a victim’s machine.

May 21
Cyber Security News

Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections - Cyber Security News

This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.

May 15
Palo Alto Networks Unit 42

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.

May 13
Crowdstrike

CrowdStrike Investigates the Threat of Patchless AMSI Bypass Attacks

Malware also uses this technique for anti-analysis, an issue we explored in a previous blog post about an advanced anti-analysis techniques discovered in GuLoader.

Apr 24
Breakglass Intel

Two Passwords, Two Compromise Stories - and the PhantomStealer v3.5.0 Config That Answers a Community Ask - Breakglass Intelligence - Breakglass Intelligence

the same delivery ZIP wrapper and the same GuLoader binary (Ustabil.exe, SHA-256 350c7cdc9d10c12ae1c490890975e387421616170f710ebbf9fa6d29fbf4b7dc) are tagged on MalwareBazaar with both omamontaggi-it and ftp-corella-ro

Mar 12
Breakglass Intel

GuLoader Ships Dual Stealers to Italian Businesses While Its Open FTP Directory Leaks 52 Credential Dumps from 27 Victims in Real Time - Breakglass Intelligence - Breakglass Intelligence

Two GuLoader samples submitted to MalwareBazaar on March 9-10, 2026 unravel an active credential theft campaign targeting Italian and international businesses.

Mar 12
Breakglass Intel

XWorm v6.4 via Go Loader and ScrubCrypt: A 13-Month Multi-RAT Operator Who Forgot to Move - Breakglass Intelligence - Breakglass Intelligence

February 2025: the operator deploys Remcos RAT, delivered via GuLoader, communicating on port 2404.

Mar 6
Jpcert

JSAC2026 -Workshop/Lightning Talk Session/Panel Discussion- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog

The workshop analyzed two malware families: - Guloader: a multi-stage dropper - Gremlin: an infostealer Participants analyzed a multi-stage attack scenario in which Guloader acts as the initial access vector and ultimately deploys and executes Gremlin...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.