Theprotect

TheProtect is a new brand of malware, previously known as GuLoader. It is being openly sold on the websites BreakingSecurity and VgoStore, both administered by an individual operating under the alias EMINэM. TheProtect is also advertised in these platforms' respective Telegram groups. Our analysis has shown that executable files protected by TheProtect, sold in the VgoStore, are identical to those of GuLoader. Despite claims by developers that Remcos and GuLoader (CloudEyE, TheProtect) are legitimate software, we have identified two truly malicious payloads within this folder: Amadey Loader and corresponding GuLoader shellcodes that load and decrypt these payloads. EMINэM uses TheProtect for his own malicious purposes, taking advantage of its ability to bypass antivirus software. This capability is demonstrated in a video by user VGO, showing a VBS variant of TheProtect, which we identified as GuLoader. We discovered an open directory with the same name on the host "194.180.48.211" while analyzing this video. TheProtect employs two protection methods: Private Protect and Script Protect. In the VgoStore group, TheProtect is marketed as a service providing "runtime FUD", meaning it is completely undetectable by antiviruses when the sample is executed. It's worth noting that EMINэM mentions TheProtect as a tool that assists Remcos in bypassing Windows Defender (WD). In addition to the BreakingSecurity Group, EMINэM also maintains a Telegram group for VgoStore. In these groups, EMINэM and another administrator named "VGO" promote TheProtect whenever users inquire about a crypting service. Thus, TheProtect represents a significant threat due to its ability to evade detection and its widespread promotion on various platforms.