GuLoader – a highly effective and versatile malware that can evade detection

February 15, 2023  |  Luke Song

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

This blog was jointly authored with Arjun Patel.

GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans. It was first discovered in the wild in late 2019 and has since become a popular choice among cybercriminals due to its effectiveness and ease of use. Researchers at cybersecurity firm CrowdStrike have recently published a technical write-up detailing the various techniques used by GuLoader to avoid detection.

One of the key features of GuLoader is its ability to evade detection by traditional security solutions. It uses several techniques to avoid being detected, including packing and encryption, as well as utilizing legitimate websites and services as command and control (C2) servers. It also employs advanced anti-debugging and anti-analysis techniques, which makes it difficult for security researchers to reverse engineer and analyze its code.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails or links containing a Visual Basic script file. It can also be distributed through other means, such as drive-by downloads, where the malware is delivered to a victim's computer through a web browser without the victim's knowledge.

GuLoader utilizes a three-stage process to deliver the final payload to the infected host. During the first stage, the VBScript dropper file gets downloaded into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks before injecting shellcode into memory.

If these checks are successful, the shellcode then downloads the final payload from a remote server and executes it on the compromised host. The shellcode incorporates various anti-analysis and anti-debugging measures, including checks for the presence of a remote debugger and breakpoints, scans for virtualization software, and the use of a "redundant code injection mechanism" to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.

encrypted payload

*encrypted final payload

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's "redundant code injection mechanism" is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.

One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.

In addition to its advanced evasion techniques, GuLoader is also highly customizable, which allows cybercriminals to tailor the malware to their specific needs. This includes the ability to change the appearance of the malware, as well as its behavior and functionality.

Also, GuLoader has also been observed using JavaScript malware strain RATDispenser to drop the malware via a Base64-encoded VBScript dropper. This allows the malware to bypass security measures and gain access to infected systems.

GuLoader has been used in high-profile attacks, including the Ryuk ransomware attack, which targeted government agencies and other large organizations. It has also been used in attacks on healthcare organizations, as well as in attacks targeting individuals and small businesses.

GuLoader is a highly effective and versatile malware that can evade detection and distribute a wide range of malicious payloads. With its exceptional ability to check for anti-analysis at every step of execution, the malware downloader can constantly bypass security checks and avoid being detected by some of the security solutions. Due to its capability to hide without being detected, it poses a significant threat to all levels of enterprises whether it’s small business or a large enterprise.

It is important for organizations to be vigilant in protecting their systems and data from this type of malware. This can be achieved by implementing a combination of various security tools such as Next Generation Firewall (NGFW), Security Information and Event Management (SIEM) and EDR and best security practices at each layer of the organization’s infrastructure.

GuLoader IoC

*IOC for GuLoader






About Perimeterwatch

PerimeterWatch gives you total control and management over your data. The rate of change on the internet, mobile, distributed processing and other technologies is- simply staggering. Failing to keep up can doom even a well-established organization, but bringing in these new capabilities without fully effective security procedures and systems can be equally disastrous.

What PerimeterWatch offers is a truly secure IT infrastructure. Whether that means a completely managed IT and security function or co-managing with your in-house people, we provide the security intelligence, the technical expertise and the implementation experience necessary to make sure your solutions solve your business problems – without simply creating new ones.


Share this with others

Featured resources



2024 Futures Report

Get price Free trial