Nearly impossible to detect: GuLoader weaponized against Russian organizations

The loader ingeniously bypasses security solutions and execution environments, including virtual machines and sandboxes

January 17, 2025

Slipping through the defenses enables GuLoader to load malware onto a compromised device.

During 2024, the BI.ZONE Threat Intelligence team recorded a number of mailings that targeted Russian organizations with the loader. The tool loaded a wide variety of malware onto victim devices: stealers, remote access trojans, and other programs. Before running the malware, GuLoader performed execution environment checks. This allowed the attackers to deploy the malware on a real device rather than in a virtualized or sandboxed environment, and successfully achieve their goals.

The adversaries tended to attack delivery, logistics, insurance, and pharma companies. The loader was spread via phishing emails posing as genuine and hence trustworthy correspondence from known enterprises: manufacturing, metallurgy, construction, postal, logistics, and others.

A phishing email contained an archive with a PE‑EXE (or, less commonly, VBS) executable. Once the victim ran the file, GuLoader would install on the device using the NSIS open‑source system.

GuLoader stands out among the crowd. There are numerous evasion techniques and procedures within its code, both low‑level and high‑level. With such an extensive arsenal, attackers can avoid virtual machines, sandboxes, and other execution environments, not to mention corporate defenses. GuLoader is also capable of loading a great variety of malware. For instance, Remcos RAT—a malware-as-a-service remote access trojan. What is more, the loader can install FormBook and Agent Tesla stealers favored by many adversaries.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

While executing its code, GuLoader runs some debugger, virtualization, and sandbox evasion checks. Particularly, the loader looks for memory strings typical of virtual machines, uses VEH together with CPUID and RDTSC instructions for evasion, enumerates and counts the windows within the system. Once all the execution environment checks are completed (virtual machines and sandboxes are successfully evaded) and debugging is ruled out, GuLoader delivers the malicious payload from a remote source. The payload is further decrypted and injected into the process address space for its stealthy execution.

GuLoader commonly receives the payload from cloud services, such as Google Drive, or from third‑party servers by calling the IP address or domain, for example:

http://XX.XXX.198.142/%FILENAME%
https://XXX-professional.com.XX/%FILENAME%
https://drive.google.com/uc?export=download&id=%SOMESTRING%

Crafted in 2019–2020, GuLoader has been more than once upgraded by threat actors, with the developer focused on improving its evasion capabilities.

Having the latest threat landscape data is crucial for resisting modern threats. Therefore, companies can benefit from portals such as BI.ZONE Threat Intelligence. Data feeds from these portals help to boost the effectiveness of corporate security solutions and accelerate incident response.