• Home
  • Vendor News
  • Threat Bulletin: Dissecting GuLoader’s Evasion Techniques

Threat Bulletin: Dissecting GuLoader’s Evasion Techniques

VMRay Logo 400x120Over the last couple of months, we observed a new downloader called GuLoader (also known as CloudEyE) that has been actively distributed in 2020. In contrast to prototypical downloaders, GuLoader is known to use popular cloud services such as Google Drive, OneDrive and Dropbox to host its encrypted payloads. So far we have seen that GuLoader is being used to deliver Formbook, NanoCore, LokiBot and Remcos among others.  


We’ve observed that GuLoader uses a combination of evasion techniques that evade sandboxes and slow down (manual) analysis. On June 6th, 2020 the developers of GuLoader informed the public that they have shut down their service (Figure 1). Despite the suspension of service, we anticipate other malware families will evolve and adapt some of these techniques in the near future. In this post, we will highlight GuLoader’s techniques with a focus on sandbox evasion and anti-analysis. ...read more!

Ectacom HQ Munich

ectacom GmbH
+49 8102 8952-0
Friedrich-Bergius-Str. 12
D-85662 Hohenbrunn


ectacom GmbH
+43 664 42 20 555
Am Europlatz 2
A-1120 Wien


+48 501 295 580
This email address is being protected from spambots. You need JavaScript enabled to view it.