SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudeye (Back to overview)

CloudEyE

aka: GuLoader, vbdropper
VTCollection    

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2025-04-03MicrosoftMicrosoft Threat Intelligence
Threat actors leverage tax season to deploy tax-themed phishing campaigns
Brute Ratel C4 CloudEyE Latrodectus Remcos
2024-04-15Positive TechnologiesAleksandr Badaev, Kseniya Naumova
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
LokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm
2024-03-11CyberIntAdi Bleih
GuLoader Downloaded: A Look at the Latest Iteration
CloudEyE
2024-02-09YouTube (Embee Research)Embee_research
Guloader Decoding With Cyberchef
CloudEyE
2023-12-06ElasticDaniel Stepanic
Getting gooey with GULOADER: deobfuscating the downloader
CloudEyE
2023-09-29IntrinsecCTI Intrinsec, Intrinsec
Ongoing threats targeting the energy industry
Agent Tesla CloudEyE
2023-09-19CheckpointAlexey Bukhteyev, Arie Olshtein
Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos
CloudEyE Remcos
2023-08-10AhnLabAhnLab ASEC Analysis Team
GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products)
CloudEyE
2023-07-28Red CanaryStef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-28YouTube (SANS Cyber Defense)Stef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-08Gi7w0rm
CloudEyE — From .lnk to Shellcode
CloudEyE Remcos
2023-06-29MalwareBookReportsmuzi
GuLoader: Navigating a Maze of Intricacy
CloudEyE
2023-06-29MorphisecArnold Osipov
GuLoader Campaign Targets Law Firms in the US
CloudEyE
2023-05-22Check PointAlexey Bukhteyev, Arie Olshtein
Cloud-based Malware Delivery: The Evolution of GuLoader
CloudEyE
2023-05-17ANY.RUNANY.RUN
Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting
CloudEyE
2023-04-13MicrosoftMicrosoft Threat Intelligence
Threat actors strive to cause Tax Day headaches
CloudEyE Remcos
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-03-11Zainware labsZainWare
Analyzing GuLoader
CloudEyE
2023-01-05SymantecThreat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle
2022-12-19CrowdStrikeDonato Onofri, Sarang Sonawane
Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy
CloudEyE
2022-10-12SpamhausRaashid Bhat
Dissecting the new shellcode-based variant of GuLoader (CloudEyE)
CloudEyE
2022-09-12VMRayPascal Brackmann
The evolution of GuLoader
CloudEyE
2022-08-29InQuestDavid Ledbetter
Office Files, RTF files, Shellcode and more shenanigans
CloudEyE
2022-07-21Cert-AgIDCert-AgID
Tecniche per semplificare l’analisi del malware GuLoader
CloudEyE
2022-07-12FortinetJames Slaughter
Spoofed Saudi Purchase Order Drops GuLoader – Part 2
CloudEyE
2022-06-02MandiantMandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-04-12HPPatrick Schläpfer
Malware Campaigns Targeting African Banking Sector
CloudEyE Remcos
2022-03-30SecuronixDen Iyzvyk, Oleg Kolesnikov, Tim Peck
New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents
CloudEyE
2022-01-27forensicitguyTony Lambert
GuLoader Executing Shellcode Using Callback Functions
CloudEyE
2021-11-23HPPatrick Schläpfer
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-10-01HPHP Wolf Security
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-23YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS)
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-29Medium hidocohenHido Cohen
GuLoader’s Anti-Analysis Techniques
CloudEyE
2021-04-19Medium elis531989Eli Salem
Dancing With Shellcodes: Cracking the latest version of Guloader
CloudEyE
2021-04-13CERT Polska / NASKMichał Praszmo
Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader
CloudEyE
2021-03-06Click All the Things! BlogJamie Arndt
oleObject1.bin – OLe10nATive – shellcode
CloudEyE
2021-02-17K7 SecurityLokesh J
GuLoader Snowballs via MalSpam Campaigns
CloudEyE
2020-11-18VMRayMateusz Lukaszewski, Pascal Brackmann, VMRay Labs Team
Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-17Joe Security's BlogJoe Security
GuLoader's VM-Exit Instruction Hammering explained
CloudEyE
2020-09-08MALWATIONmalwation
Malware Config Extraction Diaries #1 – GuLoader
CloudEyE
2020-08-10MalwarebytesJérôme Segura
SBA phishing scams: from malware to advanced social engineering
CloudEyE
2020-08-05BluelivBlueliv Labs Team, Carlos Rubio
Playing with GuLoader Anti-VM techniques
CloudEyE
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-09VMRayPascal Brackmann
Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
CloudEyE
2020-06-27kienmanowar Blogm4n0w4r
Quick analysis note about GuLoader (or CloudEyE)
CloudEyE
2020-06-25CrowdStrikeUmesh Wanve
GuLoader: Peering Into a Shellcode-based Downloader
CloudEyE
2020-06-22ProofpointProofpoint Threat Research Team, Sherrod DeGrippo
Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
GuLoader? No, CloudEyE.
CloudEyE
2020-05-20VIPREVIPRE Labs
Unloading the GuLoader
CloudEyE
2020-05-08Twitter (@sysopfb)Jason Reaves
Tweet on GuLoader anti analysis techniques
CloudEyE
2020-05-05VinCSSDang Dinh Phuong, m4n0w4r
GuLoader AntiVM Techniques
CloudEyE
2020-05-04Twitter (@VK_intel)Vitali Kremez
GuLoader API Loader Algorithm
CloudEyE
2020-04-29Twitter (@VK_intel)Vitali Kremez
Some Insight into GuLoader family
CloudEyE
2020-04-21Twitter (@VK_intel)Vitali Kremez
Tweet on Signed GuLoader
CloudEyE
2020-04-13K7 SecurityLokesh J
GuLoader delivers RATs and Spies in Disguise
CloudEyE
2020-04-03Palo Alto Networks Unit 42Brad Duncan
GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02MorphisecArnold Osipov
GuLoader: The RAT Downloader
CloudEyE
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-19Twitter (@TheEnergyStory)Dominik Reichel
Tweet on early GuLoader samples dating back to October 2019
CloudEyE
2020-03-15Twitter (@TheEnergyStory)Dominik Reichel
GuLoader anti analysis/sandbox tricks
CloudEyE
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20241030 | Detects win.cloudeye.)
rule win_cloudeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.cloudeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 64ff35c0000000 8f4548 c3 60 b055 }
            // n = 5, score = 100
            //   64ff35c0000000       | push                dword ptr fs:[0xc0]
            //   8f4548               | pop                 dword ptr [ebp + 0x48]
            //   c3                   | ret                 
            //   60                   | pushal              
            //   b055                 | mov                 al, 0x55

        $sequence_1 = { c70010000100 80fc8b ffb700500000 39c9 6afe ff5528 }
            // n = 6, score = 100
            //   c70010000100         | mov                 dword ptr [eax], 0x10010
            //   80fc8b               | cmp                 ah, 0x8b
            //   ffb700500000         | push                dword ptr [edi + 0x5000]
            //   39c9                 | cmp                 ecx, ecx
            //   6afe                 | push                -2
            //   ff5528               | call                dword ptr [ebp + 0x28]

        $sequence_2 = { 85da 8b4d18 bafee5190e e8???????? }
            // n = 4, score = 100
            //   85da                 | test                edx, ebx
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   bafee5190e           | mov                 edx, 0xe19e5fe
            //   e8????????           |                     

        $sequence_3 = { 7570 206b65 7900 e8???????? 53 }
            // n = 5, score = 100
            //   7570                 | jne                 0x72
            //   206b65               | and                 byte ptr [ebx + 0x65], ch
            //   7900                 | jns                 2
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_4 = { ff50e0 6639d1 61 b8ffffffff }
            // n = 4, score = 100
            //   ff50e0               | call                dword ptr [eax - 0x20]
            //   6639d1               | cmp                 cx, dx
            //   61                   | popal               
            //   b8ffffffff           | mov                 eax, 0xffffffff

        $sequence_5 = { 83f800 0f8598000000 6685c1 8b4d20 81c100410000 c70107000100 51 }
            // n = 7, score = 100
            //   83f800               | cmp                 eax, 0
            //   0f8598000000         | jne                 0x9e
            //   6685c1               | test                cx, ax
            //   8b4d20               | mov                 ecx, dword ptr [ebp + 0x20]
            //   81c100410000         | add                 ecx, 0x4100
            //   c70107000100         | mov                 dword ptr [ecx], 0x10007
            //   51                   | push                ecx

        $sequence_6 = { 81c29c000000 52 6a07 6aff 38ed 50 e8???????? }
            // n = 7, score = 100
            //   81c29c000000         | add                 edx, 0x9c
            //   52                   | push                edx
            //   6a07                 | push                7
            //   6aff                 | push                -1
            //   38ed                 | cmp                 ch, ch
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 5b 6685da 31c0 83c004 }
            // n = 4, score = 100
            //   5b                   | pop                 ebx
            //   6685da               | test                dx, bx
            //   31c0                 | xor                 eax, eax
            //   83c004               | add                 eax, 4

        $sequence_8 = { 8bb714080000 38ef 8b8700080000 01f0 01c8 }
            // n = 5, score = 100
            //   8bb714080000         | mov                 esi, dword ptr [edi + 0x814]
            //   38ef                 | cmp                 bh, ch
            //   8b8700080000         | mov                 eax, dword ptr [edi + 0x800]
            //   01f0                 | add                 eax, esi
            //   01c8                 | add                 eax, ecx

        $sequence_9 = { 85db 837d7401 750a e8???????? 83f801 7405 }
            // n = 6, score = 100
            //   85db                 | test                ebx, ebx
            //   837d7401             | cmp                 dword ptr [ebp + 0x74], 1
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   83f801               | cmp                 eax, 1
            //   7405                 | je                  7

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_license = ""
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules