{
  "name": "Technical Analysis of GuLoader Obfuscation Techniques",
  "slug": "technical-analysis-of-guloader-obfuscation-techniques",
  "description": "GuLoader, a malware downloader active since 2019, primarily delivers RATs and information stealers. It employs sophisticated anti-analysis techniques, including polymorphic code for dynamic constant construction and complex exception-based control flow obfuscation. The malware has evolved to handle multiple exception types, making tracing its execution flow challenging. GuLoader uses dynamic hashing, encrypted strings, and stack-based string encryption to conceal critical information. It often hosts payloads on trusted cloud services to bypass reputation-based detection. The malware's consistent development and updating of anti-analysis techniques suggest it will remain a significant threat in the future.",
  "published": "2026-02-09T18:07:10+00:00",
  "created_at": "2026-02-09T18:07:10+00:00",
  "modified_at": "2026-02-09T19:42:43+00:00",
  "created_at_opencti": "2026-02-09T18:07:10+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-09",
    "anti-analysis",
    "cloudeye",
    "downloader",
    "exception-handling",
    "guloader",
    "obfuscation",
    "payload-decryption",
    "polymorphic-code",
    "string encryption"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "53bad49e755725c8d041dfaa326e705a221cd9ac3ec99292e441decd719b501d"
      },
      {
        "id": "",
        "name": "0bcc5819a83a3ad0257a4fe232e7727d2f3d04e6f74c6d0b9e4dfe387af58067"
      },
      {
        "id": "",
        "name": "4be24d314fc9b2c9f8dbae1c185e2214db0522dcc480ba140657b635745e997b"
      },
      {
        "id": "",
        "name": "274329db2d871d43eed704af632101c6939227d36f4a04229e14603f72be9303"
      },
      {
        "id": "",
        "name": "7fccb9545a51bb6d40e9c78bf9bc51dc2d2a78a27b81bf1c077eaf405cbba6e9"
      },
      {
        "id": "",
        "name": "90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95"
      }
    ],
    "malware": [
      {
        "id": "cafe3417-bbcf-4b6c-aa87-c8ed210f357a",
        "name": "GuLoader - S0561",
        "slug": "guloader-s0561"
      },
      {
        "id": "legacy:malware:10ad9d7cf50be592",
        "name": "CloudEye",
        "slug": "cloudeye"
      }
    ],
    "attack_patterns": [
      {
        "id": "8634c845-2e3a-4ea5-a9a3-6f694468408c",
        "name": "T1027.001"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ]
  },
  "external_refs": [
    "https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques",
    "https://otx.alienvault.com/pulse/698a305eefc650b47e53932a"
  ]
}