Cybersecurity threats proceed to evolve with attackers utilizing extra inventive social engineering methods to focus on organizations.
A latest menace has emerged involving the Guloader malware, which is being disguised as worker efficiency stories to trick customers into downloading and executing malicious information.
This subtle assault vector exploits human belief and office familiarity to distribute harmful malware that may compromise delicate firm information and private info.
The assault begins with a phishing e-mail claiming to comprise an October 2025 worker efficiency report.
Phishing e-mail physique (Supply – ASEC)
The e-mail makes use of urgency ways by mentioning potential worker dismissals, prompting recipients to open the attachment.
This psychological manipulation will increase the probability of customers bypassing safety consciousness and opening what seems to be a reputable enterprise doc.
The misleading nature of this marketing campaign makes it significantly harmful, because it targets the intersection of office communication and safety vulnerability.
ASEC analysts and researchers famous that the hooked up file is a RAR compressed archive containing an NSIS executable file disguised as “workers report pdf.exe”.
If customers have file extensions hidden of their working system settings, this executable seems as a normal PDF doc.
Contained in the hooked up compressed file (Supply – ASEC)
As soon as executed, the malware initiates a multi-stage an infection course of designed to evade detection and set up persistent entry to the sufferer’s system.
The Multi-Stage An infection Mechanism
Understanding how Guloader operates reveals the subtle nature of this assault.
When the executable runs, it connects to a distant server and downloads encrypted shellcode from a Google Drive URL, particularly from “hxxps://drive.google[.]com/uc?export=obtain&id=1bzvByYrlHy240MCIX7Cv41gP9ZY3pRsgv” and retrieves a file named “EMvmKijceR91.bin”.
The downloaded shellcode is then injected straight into the system’s reminiscence, permitting the malware to run with out writing information to disk.
This memory-only execution method makes detection considerably tougher for conventional safety options that depend on file-based scanning.
The ultimate payload delivered by Guloader is Remcos RAT, a distant entry trojan that gives attackers with complete management over contaminated methods.
C2 info of Remcos RAT (Supply – ASEC)
Remcos allows menace actors to carry out keylogging, seize screenshots, management webcams and microphones, and extract browser histories together with saved passwords.
The malware communicates with command and management servers situated at “196.251.116[.]219” on ports 2404 and 5000, establishing a persistent connection for ongoing unauthorized entry.
Organizations ought to implement e-mail filtering guidelines to dam suspicious attachments, disable file extension hiding in person methods, and deploy superior endpoint detection and response options to determine and block this menace at a number of phases of the assault chain.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
