Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

GuLoader

32
Global rank
25
Month rank
20 infographic chevron week
Week rank
0
IOCs

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Downloader
Type
Italy
Origin
1 December, 2019
First seen
8 October, 2025
Last seen
Also known as
CloudEyE
vbdropper

How to analyze GuLoader with ANY.RUN

Downloader
Type
Italy
Origin
1 December, 2019
First seen
8 October, 2025
Last seen

IOCs

Hashes
8044f340276e2623beff0e0e2d0853af1831fcaecefbb9a9d0954f08cc8e74b8
1775cfd2058f222ce542f96997e00096f2fdce86ee1923f8383c70633e956dd2
fba2cdcb6f922dba7fca09656dcfd2fd823ad8e77fdd8ec881885ff149e578c7
50c61927f770477b0c6230fa0dd5201035f0ad8372354b53e6d9def4d1949e3c
cbbf5f08eb9fd0467576bf23b709d414ce9e7061b028c29ce08f179af6e60a97
2a0d76eed9ec0debd2432ba23d45c0f9f92f0db27378e581e1175f076f9107bb
ba065c2810853ed334a1b60dcf213bd98d9b6789a61ca68f678befaf9cfab991
70c463177b1db301c99dd0383167c9b85e581a2fcc07fde36a07da0f8d8572fb
275c9fcc1365ee55619bc42f4313c9dbb2f87742a6737c132a1d74bde1566563
e0c1fb97e28bc9944bc045ee772dd8da34a985a9e410764734eacdb35429cd1b
f3535a81c3a20565c3334b9a342e3134209f3bd81fc1f652cf5f2630ea225d6d
91c7542c5c3f36571511ed146cb83a35b7b1c0dbc954466e9700ba638b7c14c9
8255284fa792c767fd2464364f12f297fa92a38383d2303d7cf9dcb8b74bdfa5
9cdad66041ca2b1d2fc0bccdc9841fe6aa33e0275a169aa6deffd0b75778721a
b461ab7e89adcd640436a2089f39de9044480476176c140f1d6b87443af95378
04e3c79bdcdc18cb3f7a7aa37ff10534fcd33eebfed20d65b71435fce06986be
fc423870796dff42517d1695ac87a45b54e52f18a76184ea31f64ec778f80348
f8de8a1c7444291f99f4ee2f1e2fe81ca27d2b1b195705a7dba0219b66961db6
9c82dd16f70fbec725aa57ff67592f41c47463d828dd7896d7d23538b5935175
7db5e626c33513029a8c994e929219469a2d4f36bbd9557299d4b8bec1673fc1
Domains
mail.elkat.com.my
elkat.com.my
URLs
https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
http://146.70.79.94/Tm_agent_bQvXTkRpjt211.bin
http://185.222.58.56/chuksdroidloki_FEGwxDsy135.bin
http://146.70.79.94/java_agent_laRMer251.bin
http://185.222.58.56/yendexoriginwithoutfilter_eTepgwyjB167.bin
http://twart.myfirewall.org/wama_mrCsNzk166.bin
https://drive.google.com/uc?export=download&id=1VssbX_L5DESUoNwRHcbF42fii8wzHqEA
https://cdn.discordapp.com/attachments/973448911232585778/973449155060047882/Enrico-7173724.jpg
https://drive.google.com/uc?export=download&id=1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE
http://193.233.188.43/Client-built_SMEJWoPRr62.bin
http://45.137.22.91/bin_txbkK174.bin
https://drive.google.com/uc?export=download&id=15GHOWTvP9CF0Gc0Vr1m6k161L0d2syfU
http://5.2.75.164/Amenaza15_original_cSKnEbb238.binhttp://109.206.241.19/Amenaza15_original_cSKnEbb238.bin
https://gimgeotehnika.ba/karin_GZYIXql115.bin
http://stormlaser.com/wp-includes/gTQpjesAqzSf16.prx
http://blexknad.dd-dns.de/eCDFV249.pcx
http://rayab2bng.com:8020/wp-content/themes/bigmart/public/ZZVpRGI170.mdp
http://163.123.143.221/ADMINTELERAM_mhtAxNZDVM6.bin
http://blexknad.dd-dns.de/WGJaI140.hhp
http://rajparis.in/tues/edRUsWzz221.psm
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 167
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 521
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3695
comments 0

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The distribution method of GuLoader has changed over time, but its execution flow has remained fairly straightforward. The main purpose of GuLoader is to download the primary payload to the infected system. Upon starting, it checks whether it is running inside a virtual environment. If the check passes, it establishes a connection and downloads the payload. Once the payload is downloaded and executed, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Read a detailed analysis of GuLoader in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Mamba 2FA screenshot
Mamba 2FA
mamba
Mamba 2FA is an advanced phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) and target Microsoft 365 accounts. It focuses on intercepting authentication flows in real-time and enables threat actors to hijack user sessions and access sensitive systems even when additional security measures are in place.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More
LockBit screenshot
LockBit
lockbit
LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.
Read More