Cybersecurity professionals are issuing warnings about a new phishing campaign that weaponizes seemingly innocuous employee performance reports to deploy the Guloader malware. This sophisticated social engineering tactic exploits workplace familiarity and urgency to trick unsuspecting employees into downloading and executing malicious files. The attack vector, identified by ASEC analysts, aims to compromise sensitive company data and personal information, highlighting the evolving nature of cyber threats.
The fraudulent campaign begins with a phishing email purporting to contain an October 2025 employee performance report. To heighten the sense of urgency and encourage immediate action, the email mentions potential employee dismissals, compelling recipients to open the attached document. This psychological manipulation is designed to bypass typical security awareness protocols, making users more likely to open what appears to be a legitimate business document.
The Multi-Stage Infection Mechanism of Guloader Malware
According to security researchers, the attached file in the phishing emails is a RAR compressed archive. Inside this archive lies an NSIS executable file that is cleverly disguised as “staff record pdf.exe”. ASEC analysts highlight that if users have their operating system settings configured to hide file extensions, this executable will appear as a standard PDF document, further enhancing its deceptive potential. Once executed, the malware initiates a complex, multi-stage infection process engineered for stealth and persistent access.
The Guloader malware’s infection process is designed to be highly evasive. Upon execution, it establishes communication with a remote server to download encrypted shellcode. This shellcode is retrieved from a specific Google Drive URL, identified as “hxxps://drive.google[.]com/uc?export=download&id=1bzvByYrlHy240MCIX7Cv41gP9ZY3pRsgv”, and is contained within a file named “EMvmKijceR91.bin”. A key element of its evasion strategy is memory-only execution; the downloaded shellcode is injected directly into the system’s memory, circumventing traditional file-based scanning methods used by many security solutions.
The ultimate payload delivered by this Guloader campaign is the Remcos RAT (Remote Access Trojan). Remcos RAT grants threat actors extensive control over the compromised systems. This includes functionalities such as keylogging to capture typed information, taking screenshots of user activity, controlling webcams and microphones for surveillance, and extracting sensitive data like browser histories and stored passwords. The malware communicates with its command and control (C2) servers, located at “196.251.116[.]219” on ports 2404 and 5000, establishing persistent unauthorized access for ongoing malicious activities.
Organizations are strongly advised to implement robust email filtering rules to block suspicious attachments and to disable the hiding of file extensions in user operating systems. Deploying advanced endpoint detection and response (EDR) solutions can significantly enhance an organization’s ability to identify and neutralize threats like Guloader at various stages of the attack chain. Continuous monitoring and user education remain critical components in defending against these evolving social engineering tactics.