29f16ac2cc3fcf319079557aa787e158 #GuLoader

Added more indicators for: Storm-2603 ( 1), Sliver ( 1), ValleyRAT ( 1), XWorm ( 1), GuLoader ( 1), Evilginx ( 2) and DCRat ( 2). vuldb.com/actor #apt #cti #ioc

We have added indicators: Xtreme RAT ( 1), Tsunami ( 1), SectopRAT ( 1), Gamaredon ( 2), Gafgyt ( 3), GuLoader ( 1) and AdaptixC2 ( 1). vuldb.com/actor #apt #cti #ioc

GWの宿題（？） GuLoaderで使われていたVEHを使った難読化について、仕組みの説明と解析のポイントをさらっと書いておきました。 medium.com/@sachiel-archange… ・・・私、Security Summer Summit 2026のための論文書かなきゃいけなかったんじゃなかったっけ？（現実逃避）

1/5 CyberShield Series 🦅🔥 CAC BREACH JUST LEAKED MILLIONS OF COMPANY RECORDS Your ship. Your business. Your future. All on the dark web RIGHT NOW. ⚠️ Hackers ByteToBreach breached CAC systems. 25 million documents. 750GB of Nigerian company data stolen. Demanding ransom. NDPC is investigating. Lawyers are sounding the alarm. Seafarers & maritime pros this is NOT just govt stuff. Most shipping companies, crewing agencies, and vessel operators are registered here. Your BV, ship docs, director details, addresses… gone. Me vs Reality You think your company is safe, Hackers already have your data and are crafting spear-phishing for your next port call. 2/5 Why this hits seafarers hard - Fake companies can be created with your stolen data leads to port fraud, cargo theft, insurance scams. - Credential stuffing attacks on your banking/shipping portals (already rising in Nigeria). - Ransomware groups targeting ports & maritime just got your blueprint. Maritime cyber incidents already jumped 103% last year. Human error credential theft is the #1 vector now. This breach just supercharged it. 3/5 Shield Actions — Do these TODAY 1. Change EVERY password linked to your CAC/company accounts. Use passkeys MFA everywhere. 2. Monitor your company watch out for suspicious filings or director changes on CAC portal. 3. Alert your crew/agency warn them against any "HR update" or "CAC verification" emails GuLoader phishing is targeting vessels right now. 4. Separate IT/OT, never use company WiFi or emails on ship critical systems. 5. Report & freeze if you're a director, contact CAC/NDPC immediately and freeze high-risk accounts. 4/5 Real talk In 2026, your ship isn't just floating it's a connected target. One leaked CAC record = one deepfake captain or voice-cloned call diverting your vessel. We've seen GNSS spoofing, ransomware on ports, and now local breaches feeding international crime. This is why CyberShield exists. Awareness = survival at sea. 5/5 Reply below RIGHT NOW - Has your company been affected by the CAC breach? - What's the scariest maritime cyber risk you've seen in Nigeria? - RT if you're a seafarer, ship owner, or port worker we protect our own. Tag a fellow maritime pro. Share this with your crew. Stay vigilant. Stay shielded. #CyberShield #StayVigilant #MaritimeSecurity 🦅⚓🔐 ---

Low detected BAT from Hungary, came from a Tax and Customs related malspam. '25SZJA tervezet elérhetősége_a·pdf.bat' @abuse_ch bazaar.abuse.ch/sample/78a02… Looks like a #Guloader I know, boring...

Six-stage injection chain. A 10-day-old self-signed cert. Danish-language lures inside a freshly deployed GuLoader NSIS dropper. The sample killed itself in every sandbox — anti-VM checks fired before a single C2 packet left. Static analysis did not care. We reconstructed the full injection chain anyway and extracted the shellcode decryption key straight from the binary. Payload families in scope: AgentTesla, Formbook, Remcos. intel.breakglass.tech/post/g… Sample via @abuse_ch #GuLoader #AgentTesla #Formbook #Remcos

Ok, we get it, LLMs can reverse malware. But, I’d love to see a fully analysis (similar to what Check Point has done with XLoader) of SmokeLoader, GuLoader, POORTRY, FlawedGrace or Nymain. Not just toy malware

this person put more work into it than i expected, dont feel like looking at these files and fucking with vmprotect. based on iocs (mutex name, vmprotect, methods of obfuscation) it smells like GuLoader zscaler.com/blogs/security-r…

【2026/02/27】日本語で書かれたばらまき型攻撃メール(GuLoader, Snake Keylogger)に関する注意喚起 ift.tt/fszR39T

I find that and GuLoader terrifying 😂

🚨 Alert: Covert payload delivery through alternative object storage platforms 🔬Report: vmray.com/analyses/covert-pa… 📦 In a newly observed attack chain, threat actors have started exploiting lesser known object storage platforms like cubbit[.]io or ufs[.]sh as disposable payload safehouses. 🥷 The chain starts off with an obfuscated VBScript, unfolding into an obfuscated PowerShell downloader. The PS1 script downloads a seemingly harmless image file, pulled from one of these object storage platform providers. Using simple steganography, a Base64 .NET Injector payload is concealed as appended bytes at the end of the image file. The smuggled .NET Injector is then reflectively loaded into RegAsm.exe and a final Agent Tesla payload is downloaded. This attack chain shows how modern delivery chains are constantly looking for alternative platforms to host and conceal their payload. 🔎 Key takeaways: - VBS → PS1 → GuLoader / Image (steganography) → .NET Assembly → Payload on cubbit[.]eu → RegAsm.exe → Agent Tesla -  Initial VBScript utilized junk code, Base64 obfuscation, word slicing, reverse string, and character substitution - Dropped PowerShell script (Base64 encoded), uses character replacement to thwart static analysis - Downloads a payload (usually GuLoader) from hosting site ufs[.]sh - Pulls an image file from firebasestorage.googleapis[.]com, which has a - Base64 blob at the end (steganography) - PowerShell parses the Base64 blob, decodes it and uses Reflection.Assembly to load the revealed executable (protected with SmartAssembly) - Dynamically locates a method named 'runss' on a type called 'Homees', invokes it with a remote payload hosted on cubbit[.]io - Injects the remote payload (Agent Tesla) into RegAsm.exe 🧬 IoCs: 1c216dc51330c5f56cc37f7e37b3516e57b172bd83f787788f80dcdb88b5545b hxxps://firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?alt=media&token=b9d8bf3e-b1eb-4c56-9434-d4af570d4a91 hxxps://au72nuxzv2.ufs[.]sh/f/4LhV5B1sDCwIrgzpCwYKXE4gwWVSzU8Dck1rs5tJYqhnmpx6 hxxps://zip1.s3.cubbit[.]eu/SCANNED COPIES OF FINAL CONTRACT PDFupload.txt

Phantom Stealer has been prominent across phishing campaigns over the past two weeks. Operationally interesting to me is that it’s not just an infostealer. It also acts as an initial access broker, dropping GuLoader for follow-on activity, and I’ve seen it deploy crypto miners as well. Exfiltration via Telegram bot API where PhantomStealer packages victim data as JSON and POSTs directly: • Browser credentials, cookies, saved passwords • System metadata (OS, username, antivirus status) • Network reconnaissance (gateway/internal/external IPs) I'm using TelePeek.com to monitor the receiving interface (screenshot shows operator's dashboard). The victim profile is concerning with government employees and enterprise users in high-level organizations... 𝗛𝘂𝗻𝘁 𝗳𝗼𝗿 𝘁𝗵𝗶𝘀 𝗯𝘆 𝗹𝗼𝗼𝗸𝗶𝗻𝗴 𝗮𝘁: • Chrome/Edge running on servers where they shouldn't be • Browser profile directory access by non-browser processes • Outbound HTTPS to api.telegram.org from unexpected executables • Startup persistence under AppData or ProgramData without operational justification

#guloader #remcos #mediafire app.any.run/tasks/850350d8-9…

日本語のマルウェア付メールが確認されています。 ■日時 2026/02/16 ■件名 貨物到着およびデマレージ発生に関するお知らせ ■添付ファイル AWB No_9G8858, AWB No_9B009177, HAWB No_ 9G88559.gz->exe virustotal.com/gui/file/b50d… tria.ge/260216-ms5kcsbz2b/be… #Guloader #Remcos ■C2 198.46.173[.]31:2404

【2026/02/16】日本語で書かれたばらまき型攻撃メール(Guloader, Remcos RAT)に関する注意喚起 ift.tt/rTcO4g5

This week’s ThreatsDay bulletin nails how attackers are sticking with quiet misuse of trusted tools for long-term access. Solid breakdowns from @TeamT5_Official (Taiwan APT surge), @cyfirma (LTX & Telegram hijacks), @zscaler (Marco & GuLoader), @HuntressLabs (RMM abuse), @bitdefender (data-theft ransomware), @LayerXSec (Claude RCE), @GreyNoiseIO (Telnet drop), @TalosSecurity (VoidLink), @TenableSecurity (Looker flaws), @Malwarebytes (trojanized 7-Zip).

#ThreatProtection #Guloader #malware always evolving, read more about Symantec's protection: broadcom.com/support/securit…

#Malware_analysis 1⃣ VoidLink: Dissecting an AI-Generated C2 Implant ontinue.com/resource/voidlin… 2⃣ Technical Analysis of GuLoader Obfuscation Techniques zscaler.com/blogs/security-r… 3⃣ "Opulous" - malicious Electron-based application hybrid-analysis.blogspot.com… 4⃣ Fake 7-Zip downloads are turning home PCs into proxy nodes malwarebytes.com/blog/threat…