Last seven days
- First activity
- Jul 19, 2026
- Last activity
- Jul 19, 2026
- Feed role
- C2
- Host form
- 1 IP / 0 hostnames
GuLoader is a Windows shellcode-based downloader and loader that has been active since at least 2019 and is widely used in commodity malware delivery operations.
Profile source: Mallory opens in a new tabGuLoader
GuLoader is a Windows shellcode-based downloader and loader that has been active since at least 2019 and is widely used in commodity malware delivery operations. It is commonly associated with the delivery of Agent Tesla, FormBook, NetWire, NanoCore, Parallax RAT, Remcos, LokiBot, XLoader, XWorm, VIPKeylogger, and Snake Keylogger/404 Keylogger. GuLoader is frequently wrapped in NSIS installers, VB-based launchers, or VBScript and PowerShell stages, and it is notable for decrypting and executing payloads directly in memory rather than writing final-stage malware to disk. Public cloud and other legitimate web services have repeatedly been abused to host encrypted GuLoader shellcode or downstream payloads.
The malware emphasizes defense evasion and anti-analysis. GuLoader dynamically resolves APIs through hashing, encrypts strings and payloads with XOR-based schemes, and heavily obfuscates control flow. A defining feature of newer variants is exception-driven execution flow using vectored exception handlers. Instead of ordinary branching, GuLoader deliberately triggers breakpoint, single-step, access-violation, and in later variants illegal-instruction and privileged-instruction exceptions, then computes the next execution address inside the handler. This design complicates static analysis, debugging, and signature generation. Additional anti-analysis behavior includes anti-debugging checks, hardware- and software-breakpoint detection, debugger hiding, timing checks, virtualization and sandbox detection, and inspection of system artifacts associated with analysis environments.
GuLoader also supports process injection. Observed variants create a legitimate Windows process in a suspended state and inject shellcode into it before resuming execution; RegAsm has been documented as one donor process. Later shellcode stages then perform network retrieval of encrypted payloads and execute them in memory. This architecture allows GuLoader to function as a flexible malware delivery platform rather than a final payload itself.
Distribution has been observed through phishing and spearphishing campaigns, including malicious Office documents with embedded macros, archive-based lures, NSIS-packaged executables, and job-, invoice-, tax-, shipping-, and order-themed social engineering. More recent activity has also tied GuLoader to web-based fake CAPTCHA and ClickFix-style chains that trick users into launching trusted Windows binaries to load remote content in memory. Financially motivated operators and intrusion clusters have used GuLoader in campaigns targeting businesses across multiple sectors, including banking and other enterprises, with notable reporting on activity affecting African financial institutions and Italian businesses.
C2 tracking
Derp observations, rolling seven-day window
Samples
Reported operators
[☢️Campaign] GuLoader: Using it as a hook to deploy Snake
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.
"...Visual Basic loaders —including the Guloader malware dropper discovered by Proofpoint on December 2019."
Exploited software
MITRE ATT&CK
Reporting
The campaign, first observed in April 2026, begins on a compromised European small-business website and ends with an attempt to load GULoader, a memory-based malware downloader, onto a victim’s machine.
This technique mirrors tactics used by malware families like Agent Tesla, GuLoader, LokiBot, and Quasar RAT, which rely on the resource section to bury their payloads.
Gremlin stealer uses the resource section to mirror the tactics of several high-profile malware families that frequently use this area for payload obfuscation, including: Agent Tesla, GuLoader, LokiBot, Quasar RAT.
Malware also uses this technique for anti-analysis, an issue we explored in a previous blog post about an advanced anti-analysis techniques discovered in GuLoader.
the same delivery ZIP wrapper and the same GuLoader binary (Ustabil.exe, SHA-256 350c7cdc9d10c12ae1c490890975e387421616170f710ebbf9fa6d29fbf4b7dc) are tagged on MalwareBazaar with both omamontaggi-it and ftp-corella-ro
Two GuLoader samples submitted to MalwareBazaar on March 9-10, 2026 unravel an active credential theft campaign targeting Italian and international businesses.
February 2025: the operator deploys Remcos RAT, delivered via GuLoader, communicating on port 2404.
The workshop analyzed two malware families: - Guloader: a multi-stage dropper - Gremlin: an infostealer Participants analyzed a multi-stage attack scenario in which Guloader acts as the initial access vector and ultimately deploys and executes Gremlin...
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.