What happened
Researchers at Zscaler have identified new activity involving the Guloader malware using polymorphic code and public cloud hosting infrastructure to evade detection and distribute additional payloads. According to the report, operators behind Guloader have updated their delivery mechanisms to generate unique, changing code signatures and to host components on trusted cloud services, making the malicious content more difficult to block via traditional security filters. Guloader is a modular loader, meaning once it gains execution on a target system it can fetch and deploy a range of secondary malware families and tools. Zscaler’s analysis showed that the polymorphic nature of the loader — combined with distribution through reputable cloud platforms — complicates defensive filtering based on static signatures or domain reputation alone. The activity reflects continued adaptation by the threat actors to blend malicious infrastructure with widely used hosting services.
Who is affected
Users and systems where Guloader malware is delivered and executed are affected, as the loader’s polymorphic code and cloud hosting techniques enable it to fetch and deploy additional malicious payloads that can compromise endpoints.
Why CISOs should care
The use of polymorphic code and legitimate cloud hosting by malware loaders like Guloader highlights evolving tactics designed to evade security controls and exploit trusted infrastructure, increasing risk of payload delivery and post-infection activity in enterprise environments.
3 practical actions
- Monitor for cloud-hosted malicious payloads. Review outbound connections to cloud domains that may host Guloader components.
- Enhance detection for polymorphic loaders. Employ behavior-based detection capable of identifying anomalous loader activity rather than static signatures alone.
- Audit endpoint execution events. Detect suspicious process creation and module fetch operations indicative of dynamic loaders.