Technical analysis by the Malware Hunter JAMESWT

New Guloader campaign via false purchase orders. The email GZ attachment contains a password-protected zip (not provided in the text), with an exe inside: the malware itself. However, it is not known what the next payload is

Guloader is back in a new purchase orders-themed global campaign. The email contains a GZ attachment, which inside contains one compressed in zip format (protected by password “1”, not provided in the text).

Inside the latter there is an executable file, the malware itself. This has been used in the past to carry different types of information stealers such as Agent Tesla / Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria / Warzone RAT and Parallax RAT. At the moment, however, it has not been possible to trace what the next payload is.