ZSCALER ThreatLabz has released a deep-dive analysis of GuLoader, also known as CloudEye, detailing how the long-standing malware family is evolving to outpace defenders. First observed in late 2019, GuLoader has become a staple in the cybercrime world, primarily serving as a delivery vehicle for other malicious payloads like remote access Trojans and information stealers.
The report highlights GuLoader’s increasing reliance on complex obfuscation techniques, making it a nightmare for security analysts to reverse‑engineer. One of its signature moves is hiding in plain sight by leveraging legitimate cloud platforms such as Google Drive and OneDrive to evade reputation-based detection, according to Zscaler ThreatLabz; the download traffic then looks like normal user activity to many security filters.
It also uses polymorphic code to dynamically construct constant and string values and employs exception-based control flow obfuscation to make the execution path hard to follow, with encrypted payloads decrypted by a hardcoded XOR key downloaded from a URL that is itself encrypted. Despite being over five years old, GuLoader shows no signs of slowing down.