惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
GuLoader Obfuscation Analysis | ThreatLabz
ThreatLabz · 2026-02-09 · via Security Research | Blog

Technical Analysis

This section covers the obfuscation techniques that GuLoader leverages to hinder analysis and evade detection.

Dynamic constant construction

GuLoader employs polymorphic code to dynamically construct constants during execution. Instead of embedding these values statically, GuLoader uses a combination of assembly operations such as movxoradd, and sub to build the constants as needed, as shown in the figure below.

Shows an example of the operations that GuLoader uses to dynamically construct constant values during execution.

Figure 1: Shows an example of the operations that GuLoader uses to dynamically construct constant values during execution.

The main purpose of obfuscating these constant values is to increase the difficulty of interpreting the underlying code. The polymorphic operations also impede static-based signatures that can be used for detection.

Exception-based code redirection

GuLoader utilizes a control flow obfuscation technique that replaces standard code jump (jmp) instructions with deliberate CPU exceptions.

  • Exception handling: GuLoader sets up a custom exception handler designed to intercept and process designated exceptions.
  • Intentional exception: Rather than using a standard jump instruction, GuLoader executes carefully crafted instructions intended to deliberately trigger specific exceptions.
  • Code redirection: Upon activation, the exception handler calculates the correct destination address and modifies the instruction pointer to continue execution at the intended location.

This technique makes the malware's execution flow extremely difficult for automated analysis tools to trace. The table below outlines the exception types that GuLoader actively handles across different versions.

Exception Code

Exception Type

2022

2023

2024-2025

0x80000003

STATUS_BREAKPOINT

X

X

X

0x80000004

STATUS_SINGLE_STEP

 

X

X

0xC0000005

STATUS_ACCESS_VIOLATION

 

X

X

0xC000001D

STATUS_ILLEGAL_INSTRUCTION

  

X

0xC0000096

STATUS_PRIVILEGED_INSTRUCTION

  

X

Table 1: Exception types handled by GuLoader across different versions.

Software breakpoint exceptions

Early versions of GuLoader implemented a simplified approach to exception-based control flow obfuscation. The malware would trigger a software breakpoint interrupt by executing an int 3 instruction, as shown in the figure below.

Demonstrates version 2022 of GuLoader’s use of an int 3 instruction to trigger a software interrupt.

Figure 2: Demonstrates version 2022 of GuLoader’s use of an int 3 instruction to trigger a software interrupt.

GuLoader’s custom exception handler would then take control after the int 3 command was triggered. The handler analyzed the byte of data located immediately after the interrupt instruction, performed a simple calculation (an XOR operation, where the XOR key remains the same across all operations), and derived the actual destination address for the jump. Once calculated, the handler redirected the program’s execution, resuming it at the intended location, as shown in the figure below.

Example of GuLoader’s exception handler observed in samples from 2022.

Figure 3: Example of GuLoader’s exception handler observed in samples from 2022.

In early initial versions of GuLoader, the exception handler included an additional anti-debugging mechanism that verified the presence of software breakpoints at the address of the jump destination. This extra step added another layer of complexity and made analysis even more complex. However, this feature was removed in later versions of GuLoader. The figure below depicts GuLoader 2022’s mechanism for scanning software breakpoints that check for the value 0xCC (i.e., int 3).

Example of GuLoader manipulating control flow via software breakpoints.

Figure 4: Example of GuLoader manipulating control flow via software breakpoints.

In 2023, GuLoader's exception handler was updated to support two additional exceptions: 0x80000004 (STATUS_SINGLE_STEP) and 0xC0000005 (STATUS_ACCESS_VIOLATION). For these two exceptions, the exception handler follows an approach similar to software breakpoint exceptions. However, in this case, the (encrypted) jump offset is located two bytes past the exception address.

Example of GuLoader’s exception handler observed in samples from 2023.

Figure 5: Example of GuLoader’s exception handler observed in samples from 2023.

Single step exceptions

GuLoader purposefully triggers a single step exception (0x80000004) by manipulating the EFLAGS register by using the PUSHF instruction to copy the current EFLAGS onto the stack. GuLoader enables the Trap Flag (TF) by setting bit 8 of the EFLAGS value by adding the EFLAGS value on the stack with 0x100. The result (with the TF flag set) is then written to the EFLAGS register by executing a POPF instruction. When the very next instruction is executed by the CPU, the single step exception will be triggered and processed by GuLoader’s exception handler. The example below shows how GuLoader triggers a single step exception and how the exception handler (shown in the previous figure) redirects the control flow to the next valid instruction.

Example of GuLoader code leveraging single-step exceptions to manipulate control flow.

Figure 6: Example of GuLoader code leveraging single-step exceptions to manipulate control flow.

Access violation exceptions

GuLoader intentionally attempts to access (e.g., write to) a memory address below 0x10000, triggering an access violation. The custom exception handler intercepts this error and redirects the instruction pointer to the intended destination, as shown in the figure below.

Example of GuLoader code leveraging access violation exceptions to manipulate control flow.

Figure 7:  Example of GuLoader code leveraging access violation exceptions to manipulate control flow.

In 2024, GuLoader introduced support for two new additional exceptions: 0xC000001D (STATUS_ILLEGAL_INSTRUCTION) and 0xC0000096 (STATUS_PRIVILEGED_INSTRUCTION). These changes both led to a more intricate method for calculating the jump address. Since the instructions that trigger these exceptions can vary in length, placing the jump offset directly after the instruction is unreliable. To solve this, GuLoader's developers implemented a fixed, hardcoded offset within the exception handler. This offset consistently locates the encrypted jump address, regardless of the preceding instruction’s size. Rather than relying on a single obfuscated byte, the updated handler now includes a hardcoded offset that points to a secondary byte. This secondary byte contains the encrypted offset to the address of the jump target. To decrypt the encrypted offset, the handler uses a dynamically generated XOR key that ultimately reveals the final jump destination. This multi-step approach significantly increases the complexity of the technique, making the jumps even harder to trace. For example, in the figure below, the hardcoded offset is 0x23, and the XOR key used to decrypt this offset is 0x85. This dynamically generated XOR key is created within the same subfunction of the exception handler that also verifies hardware breakpoints, as shown in the figure below.

Example of GuLoader 2024 leveraging the five different exception types progressively added across versions to manipulate control flow.

Figure 8: Example of GuLoader 2024 leveraging the five different exception types progressively added across versions to manipulate control flow.

Dynamic hashing

Similar to many malware families, GuLoader uses the DJB2 hashing algorithm to identify API functions, modules, and process names. The GuLoader versions released after 2022 combine the DJB2 hash value with a bitwise XOR operation and a hardcoded 32-bit value (DWORD). The result is then compared against a pre-calculated list of expected hash values. This post-hash step is also common in malware families to prevent static values that can be used to create static detections.

Encrypted strings

GuLoader hides its command-and-control (C2) domains, file paths, and other critical information by encrypting strings with a simple XOR algorithm. Although the encryption mechanism itself is basic, the real challenge complexity lies in GuLoader’s polymorphic code, which makes the strings difficult to locate and decrypt.

Static encrypted strings

In version 2022, GuLoader stored encrypted strings statically within shellcode, along with the corresponding string decryption key, as shown in the figure below.

Version 2022 of GuLoader’s string decryption.

Figure 9: Version 2022 of GuLoader’s string decryption.

GuLoader used a clever technique to handle encrypted strings. A CALL instruction was placed immediately before the string’s XOR key to push the key's memory address onto the stack. The XOR key size is then dynamically calculated and written to the stack. In the example above, the size value is calculated using the formula ((0x34BB49B7 - 0x6774883) ^ 0x34EC7B91) - 0x1AA87A69 = 0x3C. Similarly, another CALL instruction was used to push the memory address of the encrypted string onto the stack, as shown in the figure below.

Shows version 2022 of GuLoader’s string decryption process.

Figure 10: Shows version 2022 of GuLoader’s string decryption process.

Additionally, a value is dynamically calculated and pushed onto the stack after the address of the encrypted string, indicating whether the string is ASCII (value 0) or wide (value 1). In the example above, the value is 0 to denote that the string is ASCII. Finally, the malware invoked the decryption function simple_xor_bufs (found inside the function decrypt_str), which retrieved both the encrypted string address and decryption key address from the stack to perform the XOR operation to obtain the final string.

The first four bytes (DWORD) of each encrypted string encoded the string’s length. The size is decrypted using a separate 4-byte XOR key.

ThreatLabz developed IDA scripts, available in the ThreatLabz GitHub repository, to decrypt the static encrypted strings found in GuLoader samples from 2022.

Stack-based string encryption

Starting in 2023, GuLoader updated their string encryption algorithms to use more convoluted polymorphic code that dynamically constructs the decrypted string with a combination of movxoradd, and sub operations on hardcoded constants, as shown in the figure below.

Example of a GuLoader function utilizing polymorphic code to dynamically decrypt a string on the stack.

Figure 11: Example of a GuLoader function utilizing polymorphic code to dynamically decrypt a string on the stack.

Once the individual components of the encrypted string and the encryption key are constructed, GuLoader uses simple XOR operations to decrypt the string. This modification to the string algorithm was further designed to complicate analysis and detection efforts, making emulation one of the best approaches to obtain the decrypted string.

Payload decryption

One of GuLoader's encrypted strings is binary data, often exceeding 0x300 bytes in length. This binary buffer functions as an XOR key, which is used to decrypt a malware payload that is downloaded from a hardcoded URL. The payload’s URL, which is itself an encrypted string, often points to a shared file hosted on legitimate cloud services like Google Drive or OneDrive. 

IDA scripts

To effectively deobfuscate GuLoader's constants, strings, and control flow, ThreatLabz created IDA scripts that are available in the ThreatLabz GitHub repository. These scripts dynamically calculate constants and string values, as well as remove the exception-based control flow obfuscation to streamline code analysis.