Cloudeye

Malware updated a month ago (2024-11-29T14:19:32.599Z)
Download STIX
Preview STIX
Cloudeye, also known as GuLoader, is a sophisticated malware that has been active for over three years and continues to evolve. First spotted in late 2019, it is an advanced shellcode-based malware downloader used to distribute a range of payloads, such as information stealers, while incorporating numerous anti-analysis techniques to evade traditional security solutions. The malware, which delivers additional malware such as infostealers and Remote Access Trojans (RATs), has been observed targeting various sectors, including US law firms, healthcare, and investment firms. The malware's connection with CloudEyE and the VgoStore was initially overlooked due to the distribution of GuLoader under an alternative name, "The Protector". However, further investigation revealed a close relationship between VgoStore and Remcos, another malicious software. In 2020, it was discovered that an Italian company was selling the CloudEyE product through the website securitycode.eu, revealing its direct affiliation with GuLoader. Despite claims by developers that Remcos and GuLoader are legitimate software, cybersecurity researchers found truly malicious payloads within them, identified as Amadey Loader and corresponding GuLoader shellcodes that load and decrypt these payloads. Researchers have been tracking the GuLoader campaign since April 2023 and noted its active targeting of specific sectors. Future research will focus on extracting download URLs and encryption keys from unpacked samples using Malduck, a digital forensics tool.
Description last updated: 2024-05-04T16:07:26.255Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
GuLoader is a possible alias for Cloudeye. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for r
4
The Protector is a possible alias for Cloudeye. "The Protector" is a malware identified as the Visual Basic Script (VBS) version of GuLoader. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal infor
2
Remcos is a possible alias for Cloudeye. Remcos is a commercially available remote access tool (RAT) that has been repurposed by threat actors for malicious use. This software, which can be utilized as part of a cyber attack, has been observed being used in various recent campaigns, most notably those detected by X-Force. In these instance
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Remcos
Loader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.