Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos

Botconf 2024
2024-04-25 | 12:05 – 12:35

Alexey Bukhteyev 🗣 | Arie Olshtein

In the ever-evolving landscape of cyber threats, seemingly legitimate tools have taken a dark turn, emerging as potent weapons in the hands of cybercriminals. Notable examples include the Remcos RAT and GuLoader (also known as CloudEyE Protector). Our recent study establishes a strong link between these dual-use agents. While Remcos is easily detected by antivirus solutions, rendering it challenging for criminal purposes, GuLoader provides a means to bypass anti-virus protection seamlessly.

GuLoader, recognized as a shellcode-based loader, facilitates malware evasion of antivirus defenses and utilizes cloud services for encrypted payload storage. In 2020, we exposed a direct connection between GuLoader and CloudEyE Protector, initially presented as a legitimate software protection tool. Subsequently, CloudEyE advertisements nearly vanished from the web, prompting us to question whether CloudEyE Protector reemerged under a new guise.

Scroll to Top