Theprotect

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
TheProtect is a new brand of malware, previously known as GuLoader. It is being openly sold on the websites BreakingSecurity and VgoStore, both administered by an individual operating under the alias EMINэM. TheProtect is also advertised in these platforms' respective Telegram groups. Our analysis has shown that executable files protected by TheProtect, sold in the VgoStore, are identical to those of GuLoader. Despite claims by developers that Remcos and GuLoader (CloudEyE, TheProtect) are legitimate software, we have identified two truly malicious payloads within this folder: Amadey Loader and corresponding GuLoader shellcodes that load and decrypt these payloads. EMINэM uses TheProtect for his own malicious purposes, taking advantage of its ability to bypass antivirus software. This capability is demonstrated in a video by user VGO, showing a VBS variant of TheProtect, which we identified as GuLoader. We discovered an open directory with the same name on the host "194.180.48.211" while analyzing this video. TheProtect employs two protection methods: Private Protect and Script Protect. In the VgoStore group, TheProtect is marketed as a service providing "runtime FUD", meaning it is completely undetectable by antiviruses when the sample is executed. It's worth noting that EMINэM mentions TheProtect as a tool that assists Remcos in bypassing Windows Defender (WD). In addition to the BreakingSecurity Group, EMINэM also maintains a Telegram group for VgoStore. In these groups, EMINэM and another administrator named "VGO" promote TheProtect whenever users inquire about a crypting service. Thus, TheProtect represents a significant threat due to its ability to evade detection and its widespread promotion on various platforms.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
GuLoader
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Remcos
Loader
Windows
Crypting
Antivirus
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AmadeyUnspecified
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
Amadey LoaderUnspecified
1
Amadey Loader is a type of malware, a malicious software designed to infiltrate and damage computer systems. It can stealthily enter systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Theprotect Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
10 months ago
Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos - Check Point Research