GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE.[1]

ID: S0561
Platforms: Windows
Version: 1.0
Created: 11 January 2021
Last Modified: 20 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GuLoader can use HTTP to retrieve additional binaries.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

GuLoader can establish persistence via the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

GuLoader has been spread in phishing campaigns using malicious web links.[1]

Enterprise T1204 .001 User Execution: Malicious Link

GuLoader has relied upon users clicking on links to malicious documents.[1]

.002 User Execution: Malicious File

The GuLoader executable has been retrieved via embedded macros in malicious Word documents.[1]