Guloader Malware Being Disguised as Employee Performance Reports

Jan. 9, 2026, 9:36 a.m.

Description

ASEC discovered Guloader malware being distributed through phishing emails masquerading as employee performance reports. The emails, claiming to be about October 2025 performance, contain a RAR file with an NSIS executable named 'staff record pdf.exe'. This file is actually Guloader malware, which downloads and executes shellcode from a Google Drive URL. The final payload is Remcos RAT, enabling threat actors to perform various malicious remote control activities, including keylogging, screenshot capture, webcam and microphone control, and browser data extraction. The attackers are increasingly using legitimate platforms as C2 servers, making detection more challenging. Users are advised to exercise caution when opening emails from unknown sources and to change passwords regularly to prevent secondary damage.

External References

https://otx.alienvault.com/pulse/695ff3782e0662f2815bf219
https://asec.ahnlab.com/en/91825
Tags
phishing
infostealer
shellcode
guloader
remcos rat
2026-01-08

Date

  • Created: Jan. 8, 2026, 6:12 p.m.
  • Published: Jan. 8, 2026, 6:12 p.m.
  • Modified: Jan. 9, 2026, 9:36 a.m.

Indicators

  • 65496ed2388a570f4b62f1562297292e38ee99069f558b70025ebaf84aab6b81
  • 196.251.116.219
Download all indicators here!

Attack Patterns

  • GuLoader - S0561
  • Remcos RAT