{"id":20896,"date":"2023-09-07T10:42:14","date_gmt":"2023-09-07T08:42:14","guid":{"rendered":"https:\/\/www.defencetech.it\/?p=20896"},"modified":"2025-06-10T10:05:39","modified_gmt":"2025-06-10T08:05:39","slug":"guloader-distributes-remcos-first-part-malware-analysis-report","status":"publish","type":"post","link":"https:\/\/tinextadefence.it\/en\/guloader-distributes-remcos-first-part-malware-analysis-report\/","title":{"rendered":"GuLoader distributes Remcos - Part 1 - Malware Analysis Report"},"content":{"rendered":"<p>Since the beginning of the year, there have been many cases of malicious campaigns involving GuLoader. It is a sophisticated shellcode-based downloader, capable of evading detection by traditional anti-malware solutions (including sandbox activity), through advanced evasion and encryption techniques.\u00a0\u00a0<\/p>\r\n\r\n\r\n\r\n<p>In the various campaigns involving GuLoader, distribution usually took place via phishing e-mails.\u00a0<\/p>\r\n\r\n\r\n\r\n<p>This distribution took place by inducing users to open an attached PDF file, which redirected them to a cloud platform, where a ZIP file containing the malicious executable was available for download.\u00a0<\/p>\r\n\r\n\r\n\r\n<p>In today's report, we will analyse a GuLoader sample intercepted by our Malware Lab, describing its initial stages and evasive techniques, which aimed to download an executable of the Remcos malware.\u00a0<\/p>\r\n\r\n\r\n\r\n<p>The analysis of the latter will be dealt with in the second part of the report.\u00a0<\/p>\r\n\r\n\r\n\r\n<p>If you wish to learn more, here is the link to our <strong><a href=\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Report-GuLoader-deploys-Remcos-1.pdf\">full report<\/a><\/strong>.<\/p>\r\n<p><span data-contrast=\"none\">In addition, you can subscribe to the specific mailing list <b>Cyber Studios by Tinexta Defence<\/b>, to receive updates on upcoming research: <\/span><a href=\"https:\/\/tinextadefence.it\/en\/cyber-studios-mailing-list\/\"><span data-contrast=\"none\">https:\/\/tinextadefence.it\/mailing-list-cyber-studios\/<\/span><\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Dall\u2019inizio dell\u2019anno, si sono verificati molti casi di campagne dannose che coinvolgono GuLoader. Si tratta di un sofisticato downloader basato su shellcode, capace di eludere il rilevamento delle tradizionali soluzioni anti-malware (compresa l\u2019attivit\u00e0 sandbox), attraverso tecniche avanzate di evasione e crittografia.\u00a0\u00a0 Nelle varie campagne che hanno coinvolto GuLoader, la distribuzione avveniva solitamente tramite e-mail di [&hellip;]<\/p>","protected":false},"author":2,"featured_media":26257,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[102],"tags":[110],"class_list":["post-20896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tinextadefencebusiness","tag-articoli"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>GuLoader distribuisce Remcos \u2013 Prima parte\u00a0- Malware Analysis Report - Tinexta Defence<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/tinextadefence.it\/en\/guloader-distributes-remcos-first-part-malware-analysis-report\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0- Malware Analysis Report - Tinexta Defence\" \/>\n<meta property=\"og:description\" content=\"Dall\u2019inizio dell\u2019anno, si sono verificati molti casi di campagne dannose che coinvolgono GuLoader. Si tratta di un sofisticato downloader basato su shellcode, capace di eludere il rilevamento delle tradizionali soluzioni anti-malware (compresa l\u2019attivit\u00e0 sandbox), attraverso tecniche avanzate di evasione e crittografia.\u00a0\u00a0 Nelle varie campagne che hanno coinvolto GuLoader, la distribuzione avveniva solitamente tramite e-mail di [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tinextadefence.it\/en\/guloader-distributes-remcos-first-part-malware-analysis-report\/\" \/>\n<meta property=\"og:site_name\" content=\"Tinexta Defence\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-07T08:42:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-10T08:05:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Simone Sorte\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simone Sorte\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/\"},\"author\":{\"name\":\"Simone Sorte\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941\"},\"headline\":\"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0&#8211; Malware Analysis Report\",\"datePublished\":\"2023-09-07T08:42:14+00:00\",\"dateModified\":\"2025-06-10T08:05:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/\"},\"wordCount\":175,\"publisher\":{\"@id\":\"https:\/\/tinextadefence.it\/#organization\"},\"image\":{\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"keywords\":[\"Articoli\"],\"articleSection\":[\"#TDefenceBusiness\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/\",\"url\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/\",\"name\":\"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0- Malware Analysis Report - Tinexta Defence\",\"isPartOf\":{\"@id\":\"https:\/\/tinextadefence.it\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"datePublished\":\"2023-09-07T08:42:14+00:00\",\"dateModified\":\"2025-06-10T08:05:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage\",\"url\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"contentUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg\",\"width\":1200,\"height\":640,\"caption\":\"Immagine in evidenza astratta per gli articoli di Tinexta Defence\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/tinextadefence.it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0&#8211; Malware Analysis Report\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tinextadefence.it\/#website\",\"url\":\"https:\/\/tinextadefence.it\/\",\"name\":\"Tinexta Defence\",\"description\":\"think next, protect now\",\"publisher\":{\"@id\":\"https:\/\/tinextadefence.it\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/tinextadefence.it\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/tinextadefence.it\/#organization\",\"name\":\"Tinexta Defence\",\"url\":\"https:\/\/tinextadefence.it\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png\",\"contentUrl\":\"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png\",\"width\":2000,\"height\":990,\"caption\":\"Tinexta Defence\"},\"image\":{\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941\",\"name\":\"Simone Sorte\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/tinextadefence.it\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g\",\"caption\":\"Simone Sorte\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GuLoader distributes Remcos - Part 1 - Malware Analysis Report - Tinexta Defence","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/tinextadefence.it\/en\/guloader-distributes-remcos-first-part-malware-analysis-report\/","og_locale":"en_GB","og_type":"article","og_title":"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0- Malware Analysis Report - Tinexta Defence","og_description":"Dall\u2019inizio dell\u2019anno, si sono verificati molti casi di campagne dannose che coinvolgono GuLoader. Si tratta di un sofisticato downloader basato su shellcode, capace di eludere il rilevamento delle tradizionali soluzioni anti-malware (compresa l\u2019attivit\u00e0 sandbox), attraverso tecniche avanzate di evasione e crittografia.\u00a0\u00a0 Nelle varie campagne che hanno coinvolto GuLoader, la distribuzione avveniva solitamente tramite e-mail di [&hellip;]","og_url":"https:\/\/tinextadefence.it\/en\/guloader-distributes-remcos-first-part-malware-analysis-report\/","og_site_name":"Tinexta Defence","article_published_time":"2023-09-07T08:42:14+00:00","article_modified_time":"2025-06-10T08:05:39+00:00","og_image":[{"width":1200,"height":640,"url":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","type":"image\/jpeg"}],"author":"Simone Sorte","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Simone Sorte","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#article","isPartOf":{"@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/"},"author":{"name":"Simone Sorte","@id":"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941"},"headline":"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0&#8211; Malware Analysis Report","datePublished":"2023-09-07T08:42:14+00:00","dateModified":"2025-06-10T08:05:39+00:00","mainEntityOfPage":{"@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/"},"wordCount":175,"publisher":{"@id":"https:\/\/tinextadefence.it\/#organization"},"image":{"@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage"},"thumbnailUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","keywords":["Articoli"],"articleSection":["#TDefenceBusiness"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/","url":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/","name":"GuLoader distributes Remcos - Part 1 - Malware Analysis Report - Tinexta Defence","isPartOf":{"@id":"https:\/\/tinextadefence.it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage"},"image":{"@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage"},"thumbnailUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","datePublished":"2023-09-07T08:42:14+00:00","dateModified":"2025-06-10T08:05:39+00:00","breadcrumb":{"@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#primaryimage","url":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","contentUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_evidenza_articolo.jpg","width":1200,"height":640,"caption":"Immagine in evidenza astratta per gli articoli di Tinexta Defence"},{"@type":"BreadcrumbList","@id":"https:\/\/tinextadefence.it\/guloader-distribuisce-remcos-prima-parte-malware-analysis-report\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/tinextadefence.it\/"},{"@type":"ListItem","position":2,"name":"GuLoader distribuisce Remcos \u2013 Prima parte\u00a0&#8211; Malware Analysis Report"}]},{"@type":"WebSite","@id":"https:\/\/tinextadefence.it\/#website","url":"https:\/\/tinextadefence.it\/","name":"Tinexta Defence","description":"think next, protect now","publisher":{"@id":"https:\/\/tinextadefence.it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/tinextadefence.it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/tinextadefence.it\/#organization","name":"Tinexta Defence","url":"https:\/\/tinextadefence.it\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/","url":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png","contentUrl":"https:\/\/tinextadefence.it\/wp-content\/uploads\/2025\/03\/Tinexta_Defence_marchio.png","width":2000,"height":990,"caption":"Tinexta Defence"},"image":{"@id":"https:\/\/tinextadefence.it\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/tinextadefence.it\/#\/schema\/person\/1f5092d13bbba815b7d8508dc4a0a941","name":"Simone Sorte","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/tinextadefence.it\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/32dedea25589c73ac8f3d6a24a91a3de89a9dbecfeb8badd55816a91df1c8a31?s=96&d=mm&r=g","caption":"Simone Sorte"}}]}},"_links":{"self":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/posts\/20896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/comments?post=20896"}],"version-history":[{"count":0,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/posts\/20896\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/media\/26257"}],"wp:attachment":[{"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/media?parent=20896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/categories?post=20896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tinextadefence.it\/en\/wp-json\/wp\/v2\/tags?post=20896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}