ASEC discovered Guloader malware being distributed through phishing emails masquerading as employee performance reports. The emails, claiming to be about October 2025 performance, contain a RAR file with an NSIS executable named 'staff record pdf.exe'. This file is actually Guloader malware, which downloads and executes shellcode from a Google Drive URL. The final payload is Remcos RAT, enabling threat actors to perform various malicious remote control activities, including keylogging, screenshot capture, webcam and microphone control, and browser data extraction. The attackers are increasingly using legitimate platforms as C2 servers, making detection more challenging. Users are advised to exercise caution when opening emails from unknown sources and to change passwords regularly to prevent secondary damage.