Technical Analysis of GuLoader Obfuscation Techniques

Feb. 9, 2026, 8:42 p.m.

Description

GuLoader, a malware downloader active since 2019, primarily delivers RATs and information stealers. It employs sophisticated anti-analysis techniques, including polymorphic code for dynamic constant construction and complex exception-based control flow obfuscation. The malware has evolved to handle multiple exception types, making tracing its execution flow challenging. GuLoader uses dynamic hashing, encrypted strings, and stack-based string encryption to conceal critical information. It often hosts payloads on trusted cloud services to bypass reputation-based detection. The malware's consistent development and updating of anti-analysis techniques suggest it will remain a significant threat in the future.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques
https://otx.alienvault.com/pulse/698a305eefc650b47e53932a
Tags
obfuscation
anti-analysis
guloader
downloader
2026-02-09
cloudeye
exception-handling
payload-decryption
polymorphic-code
string-encryption

Date

  • Created: Feb. 9, 2026, 7:07 p.m.
  • Published: Feb. 9, 2026, 7:07 p.m.
  • Modified: Feb. 9, 2026, 8:42 p.m.

Indicators

  • 53bad49e755725c8d041dfaa326e705a221cd9ac3ec99292e441decd719b501d
  • 0bcc5819a83a3ad0257a4fe232e7727d2f3d04e6f74c6d0b9e4dfe387af58067
  • 4be24d314fc9b2c9f8dbae1c185e2214db0522dcc480ba140657b635745e997b
  • 274329db2d871d43eed704af632101c6939227d36f4a04229e14603f72be9303
  • 7fccb9545a51bb6d40e9c78bf9bc51dc2d2a78a27b81bf1c077eaf405cbba6e9
  • 90de01c5ff417f23d7327aed517ff7f285e02dfe5dad475d7f13aced410f1b95
Download all indicators here!

Attack Patterns

  • GuLoader - S0561
  • CloudEye