Cybersecurity threats continue to evolve with attackers using more creative social engineering techniques to target organizations. <\/p>\n
A recent threat has emerged involving the Guloader malware, which is being disguised as employee performance reports to trick users into downloading and executing malicious files. <\/p>\n
This sophisticated attack vector exploits human trust and workplace familiarity to distribute dangerous malware that can compromise sensitive company data and personal information.<\/p>\n
The attack begins with a phishing email claiming to contain an October 2025 employee performance report. <\/p>\n
![\"Phishing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp1-J7qpzdBOc6M21AnzwOtGaPLmYl17v5VZwd3HMZO-XoDMFDkjVGeTO5qozVV5I8s9tq1QPdv7YNQpDVN1wzFaCGa3ew3lyCRMAi2ZE4qh6H4B4C5Jht5MPXiGcB8gE_IW7FORycTiya6o6B3xrufEV1948QadR6hVb0XRK9qlj4e_cBvbm46D7IrRs\/s16000\/Phishing%2520email%2520body%2520%28Source%2520-%2520ASEC%29.webp?ssl=1\")
The email uses urgency tactics by mentioning potential employee dismissals, prompting recipients to open the attachment. <\/p>\n
This psychological manipulation increases the likelihood of users bypassing security awareness<\/a> and opening what appears to be a legitimate business document. <\/p>\n The deceptive nature of this campaign makes it particularly dangerous, as it targets the intersection of workplace communication and security vulnerability.<\/p>\n ASEC analysts and researchers noted<\/a> that the attached file is a RAR compressed archive containing an NSIS executable file disguised as \u201cstaff record pdf.exe\u201d. <\/p>\n If users have file extensions hidden in their operating system settings, this executable appears as a standard PDF document. <\/p>\n Once executed, the malware<\/a> initiates a multi-stage infection process designed to evade detection and establish persistent access to the victim\u2019s system.<\/p>\n Understanding how Guloader operates reveals the sophisticated nature of this attack. <\/p>\n When the executable runs, it connects to a remote server and downloads encrypted shellcode from a Google Drive URL, specifically from \u201chxxps:\/\/drive.google[.]com\/uc?export=download&id=1bzvByYrlHy240MCIX7Cv41gP9ZY3pRsgv\u201d and retrieves a file named \u201cEMvmKijceR91.bin\u201d. <\/p>\n The downloaded shellcode is then injected directly into the system\u2019s memory, allowing the malware to run without writing files to disk. <\/p>\n This memory-only execution technique makes detection significantly more challenging for traditional security solutions that rely on file-based scanning.<\/p>\n The final payload delivered by Guloader is Remcos RAT<\/a>, a remote access trojan that provides attackers with comprehensive control over infected systems. <\/p>\n Remcos enables threat actors to perform keylogging<\/a>, capture screenshots, control webcams and microphones, and extract browser histories along with stored passwords. <\/p>\n The malware communicates with command and control servers located at \u201c196.251.116[.]219\u201d on ports 2404 and 5000, establishing a persistent connection for ongoing unauthorized access. <\/p>\n Organizations should implement email filtering rules to block suspicious attachments, disable file extension hiding in user systems, and deploy advanced endpoint detection<\/a> and response solutions to identify and block this threat at multiple stages of the attack chain.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Beware of Weaponized Employee Performance Reports that Deploys Guloader Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Inside](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgFBYe6rQT1rTsOsKKJ4WMNDzh7uy-8bUdO59iQVgr4Xoy89_VolEOjbf4sgK7DEAeAXSZD-vhnUI_ubIjm4Yb6bTdK090PWTcUdPBmHsfFt9thn8Kk4VFC6B_q8L_hK_-E9ecQnZqlaRqpVvOwglr69u47U-GN3o5041tOeGQ5gddXc71bc7K4kxjqXLw\/s16000\/Inside%2520the%2520attached%2520compressed%2520file%2520%28Source%2520-%2520ASEC%29.webp?ssl=1\")
The Multi-Stage Infection Mechanism<\/strong><\/h2>\n
![\"C2](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgsRQpdhENXXaCkIKPI7udMf8OpqYLVPPJo__XDtxf9dUQKfJxX-N2muiO9a9ODvNPzp7N1ondT8RAGoFOivR9B0NiWAFnYXtY1UfUFfbDMJhihq7JQqhOx7GsBTg34fRVBZjN2QI4xYjOhyphenhyphen0gmOPfgMntAQREeWSG68ss2QdM4w7FJx4wnOJU0HW0fAII\/s16000\/C2%2520information%2520of%2520Remcos%2520RAT%2520%28Source%2520-%2520ASEC%29.webp?ssl=1\")