S0561: GuLoader
Analyst context for executives and security teams
GuLoader matters because it is a Windows file downloader associated in ATT&CK with delivery of multiple RAT families, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT. For leaders, the risk is not just the loader itself; it is the follow-on remote access capability it can introduce after a user clicks a malicious link or opens a malicious file.
Executive priority
Prioritize GuLoader as a validation case for phishing resilience, endpoint visibility, web egress control, and incident response readiness. The ATT&CK relationships show a chain spanning spearphishing links, user execution, web-based command-and-control, tool transfer, process injection, file deletion, sandbox evasion checks, and Windows Run Key or Startup Folder persistence. Executives should ask whether the organization can prove visibility across email, endpoint, and network layers before a downloader becomes a broader remote access incident.
Technical view
SOC and IR teams should treat this object as a Windows downloader profile with related behaviors rather than a single detection signature. Validate coverage for suspicious user-initiated execution from links or files, outbound web traffic used for payload retrieval or C2, downloaded secondary files, process injection indicators, Run Key or Startup Folder persistence, file deletion after execution, and anti-analysis behaviors such as system or time-based checks. Because ATT&CK provides no official detection text for GuLoader, detection engineering should map local telemetry to the related techniques: T1566.002, T1204.001, T1204.002, T1071.001, T1102, T1105, T1106, T1055, T1070.004, T1497.001, T1497.003, and T1547.001.
Likely telemetry
- Email security logs for messages containing links and user click events
- Web proxy, DNS, firewall, and TLS metadata for outbound web protocol activity and external web service use
- Endpoint process creation and parent-child process telemetry on Windows hosts
- File creation, download, execution, and deletion events
- Windows Registry and Startup Folder monitoring for persistence via Run Keys or startup entries
Detection direction
- Do not rely on one layer: correlate email/link activity, endpoint execution, and outbound web traffic to identify downloader-style behavior.
- Tune for user-driven execution followed by external file retrieval, new process activity, persistence changes, or deletion of staging artifacts.
- Review gaps where HTTPS or common web services are allowed with limited inspection, because related ATT&CK techniques include Web Protocols and Web Service C2.
- Validate endpoint visibility for process injection and Native API behavior, while accounting for false positives from legitimate software that performs low-level process or memory operations.
- Test whether sandboxing and malware analysis workflows account for system checks and time-based checks that may suppress behavior during automated analysis.
Mitigation priorities
- Strengthen phishing controls and user reporting workflows for malicious links and files.
- Enforce least-privilege and endpoint hardening on Windows systems to reduce the value of user-executed malware.
- Monitor and restrict unauthorized persistence through Run Keys and Startup Folders.
- Apply egress filtering and web access governance so payload retrieval and web-based C2 are easier to detect and contain.
- Ensure IR playbooks include rapid scoping for secondary payloads, persistence artifacts, file deletion, and possible RAT follow-on activity.
Analyst notes and limits
The supplied ATT&CK object identifies GuLoader as a downloader used since at least December 2019 and links it to several RAT payloads. The most useful defensive value comes from the relationships: they describe the types of behaviors teams should validate across prevention, detection, and response rather than providing a complete GuLoader analytic.
ATT&CK provides no official detection guidance, aliases, labels, or tactics directly on the malware object. This take is therefore based on the official description, Windows platform field, external references, and the supplied technique relationships. Local telemetry, environment baselines, and current threat intelligence are required before making exposure or detection-coverage claims.
GuLoader
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | GuLoader has been spread in phishing campaigns using malicious web links.CitationUnit 42 NETWIRE April 2020 |
| Enterprise | T1055 | Process Injection | |
| Enterprise | T1497.001 | System Checks Sub-technique | GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call |
| Enterprise | T1106 | Native API | GuLoader can use a number of different APIs for discovery and execution.CitationMedium Eli Salem GuLoader April 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | GuLoader can delete its executable from the |
| Enterprise | T1105 | Ingress Tool Transfer | GuLoader can download further malware for execution on the victim's machine.CitationMedium Eli Salem GuLoader April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GuLoader can use HTTP to retrieve additional binaries.CitationUnit 42 NETWIRE April 2020CitationMedium Eli Salem GuLoader April 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | GuLoader has relied upon users clicking on links to malicious documents.CitationUnit 42 NETWIRE April 2020 |
| Enterprise | T1102 | Web Service | GuLoader has the ability to download malware from Google Drive.CitationMedium Eli Salem GuLoader April 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | GuLoader can establish persistence via the Registry under |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.CitationMedium Eli Salem GuLoader April 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | The GuLoader executable has been retrieved via embedded macros in malicious Word documents.CitationUnit 42 NETWIRE April 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 014eb26d1b09… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 NETWIRE April 2020
Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
Open source URL -
[2]
Medium Eli Salem GuLoader April 2021
Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
Open source URL -
[3]
mitre-attack S0561Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.