AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
TheProtect is the fake name for selling Remcos RAT and GuLoader. Check Point cybersecurity researchers: EMINэM proposes the malware on BreakingSecurity and VgoStore as a legitimate tool for “runtime FUD” encryption
TheProtect is the fake name through which Remcos RAT and GuLoader are sold as legitimate software on the BreakingSecurity and VgoStore websites. The two sites and their respective Telegram channels are administered by a person who calls himself EMINэM. Check Point cybersecurity researchers discovered this. Formally TheProtect would be a “runtime FUD” encryption tool, but in reality it contains a VBS file or an LNK (NSIS executable) that downloads the loader. This contacts a URL and downloads the final malware. Furthermore, the cybercrime actor, who the experts have identified, has also spread other malicious payloads such as Formbook and Amadey in the past.