| Since 2019, GuLoader has been active as a downloader, spreading through spam campaigns with malicious attachments. To evade detection, it downloads encrypted payloads typically from genuine file-sharing websites, such as Google Drive or Microsoft OneDrive. Once installed, the malware attempts to establish persistence by modifying system settings, creating registry entries, and adding itself to startup items. |
| Since the beginning of 2025, the NJCCIC’s email security solution has observed multiple GuLoader campaigns alternately delivering Snake Keylogger and Remcos remote access tool (RAT) to gain remote access, exfiltrate data, and deploy ransomware. The latest wave of GuLoader campaigns delivers Remcos RAT. It incorporates various themes such as new orders, quotations, purchase orders, invoices, product inquiries, scheduled shipments, packages out for delivery, and updated statements of accounts. These messages contain attached SCR, RAR, ZIP, or ARJ compressed executables that leverage GuLoader to download and install Remcos RAT. Once installed, Remcos RAT logs keystrokes online and offline, captures video and pictures via camera and microphone, and more. |
| Recommendations |
| Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Navigate to official websites by typing official website URLs into browsers manually and only submit account credentials and sensitive information on official websites. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Run updated and reputable anti-virus or anti-malware programs. Report malicious cyber activity to the FBI’s IC3 and the NJCCIC. |