Cloudeye

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Cloudeye, also known as GuLoader, is a sophisticated malware that has been active for over three years and continues to evolve. First spotted in late 2019, it is an advanced shellcode-based malware downloader used to distribute a range of payloads, such as information stealers, while incorporating numerous anti-analysis techniques to evade traditional security solutions. The malware, which delivers additional malware such as infostealers and Remote Access Trojans (RATs), has been observed targeting various sectors, including US law firms, healthcare, and investment firms. The malware's connection with CloudEyE and the VgoStore was initially overlooked due to the distribution of GuLoader under an alternative name, "The Protector". However, further investigation revealed a close relationship between VgoStore and Remcos, another malicious software. In 2020, it was discovered that an Italian company was selling the CloudEyE product through the website securitycode.eu, revealing its direct affiliation with GuLoader. Despite claims by developers that Remcos and GuLoader are legitimate software, cybersecurity researchers found truly malicious payloads within them, identified as Amadey Loader and corresponding GuLoader shellcodes that load and decrypt these payloads. Researchers have been tracking the GuLoader campaign since April 2023 and noted its active targeting of specific sectors. Future research will focus on extracting download URLs and encryption keys from unpacked samples using Malduck, a digital forensics tool.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
GuLoader	4	GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Remcos	2	Remcos is a software tool that can be utilized for both benign and malicious activities, including being part of cyberattacks. Recently, Remcos was identified as the most common payload in cyberattack campaigns observed by X-Force, often used by threat actors to exploit vulnerabilities. This tool ha
The Protector	2	"The Protector" is a malware identified as the Visual Basic Script (VBS) version of GuLoader. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal infor
Amadey Loader	1	Amadey Loader is a type of malware, a malicious software designed to infiltrate and damage computer systems. It can stealthily enter systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Remcos

Loader

Encryption

Loader Malware

Gbhackers

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Amadey	Unspecified	1	Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Cloudeye Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	8 months ago	Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques
CERT-EU	a year ago	GuLoader Campaign Targets Law Firms in the US
InfoSecurity-magazine	a year ago	GuLoader Targets US Financial Firms With Tax-Themed Phishing Lures
CERT-EU	a year ago	WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders
CERT-EU	a year ago	GuLoader Malware is Attacking Law Firms Using Weaponized PDF File
CERT-EU	10 months ago	Cyber Criminals Exploit Legitimate Software
CERT-EU	a year ago	GuLoader Malware is Attacking Law Firms Using Weaponized PDF File \| IT Security News
Checkpoint	10 months ago	Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos - Check Point Research
CERT Polska	a year ago	Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader