Date: 02/12/2026
Severity: Medium
Summary
GuLoader (also known as CloudEye) is a highly obfuscated malware family first identified in December 2019. It primarily functions as a downloader for Remote Access Trojans (RATs) and information stealers. Threat actors often host its payloads on legitimate platforms like Google Drive and OneDrive to evade detection. The malware uses advanced anti-analysis techniques to hinder investigation. These include polymorphic code that dynamically builds constants and strings at runtime. It also leverages complex exception-based control flow obfuscation to conceal its true behavior.
Indicators of Compromise (IOC) List
Hash : | 90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95
274329db2d871d43eed704af632101c6939227d36f4a04229e14603f72be9303
4be24d314fc9b2c9f8dbae1c185e2214db0522dcc480ba140657b635745e997b
0bcc5819a83a3ad0257a4fe232e7727d2f3d04e6f74c6d0b9e4dfe387af58067
7fccb9545a51bb6d40e9c78bf9bc51dc2d2a78a27b81bf1c077eaf405cbba6e9
53bad49e755725c8d041dfaa326e705a221cd9ac3ec99292e441decd719b501d
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | sha256hash IN ("90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95","7fccb9545a51bb6d40e9c78bf9bc51dc2d2a78a27b81bf1c077eaf405cbba6e9","274329db2d871d43eed704af632101c6939227d36f4a04229e14603f72be9303","4be24d314fc9b2c9f8dbae1c185e2214db0522dcc480ba140657b635745e997b","0bcc5819a83a3ad0257a4fe232e7727d2f3d04e6f74c6d0b9e4dfe387af58067","53bad49e755725c8d041dfaa326e705a221cd9ac3ec99292e441decd719b501d")
|
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques#introduction