EXECUTIVE SUMMARY:
The report details a phishing-based malicious campaign in which threat actors distribute malicious payloads by impersonating internal corporate communications related to employee performance evaluations. The emails are crafted to resemble legitimate workplace notices and exploit psychological pressure by suggesting sensitive outcomes such as poor evaluations or potential termination. This tactic increases the likelihood that recipients will open the attached file without scrutiny. The phishing emails contain a compressed archive that appears to hold a legitimate document, using deceptive file naming conventions to mask the true executable nature of the payload. Because file extensions are often hidden by default, the malicious executable can easily be mistaken for a standard PDF or report file. This approach reflects a common strategy in modern threat campaigns, where attackers rely on social engineering rather than technical exploits to gain an initial foothold. By exploiting trust in internal communications and routine HR processes, the attackers significantly reduce suspicion at the entry stage. The campaign demonstrates how carefully crafted lures remain highly effective in bypassing user awareness and security controls, making phishing a persistent and dangerous initial access vector.
Once the user executes the disguised executable extracted from the compressed attachment, the malware functions as a loader, initiating a multi-stage infection chain. The loader retrieves additional malicious components from an external cloud-based storage service, a technique that helps blend malicious traffic with legitimate network activity and evade detection. The downloaded shellcode is executed directly in memory, reducing forensic artifacts on disk and complicating analysis. This shellcode ultimately deploys a remote access trojan (RAT) that provides attackers with persistent control over the compromised system. The RAT supports a wide range of malicious capabilities, including keystroke logging, screen capture, credential harvesting from browsers, and remote command execution. It establishes communication with a command-and-control server to receive instructions and exfiltrate stolen data. The use of a loader combined with memory-resident execution highlights the attackers’ focus on stealth and flexibility. This layered execution model allows threat actors to easily swap payloads, update functionality, and maintain long-term access while minimizing exposure to traditional signature-based defenses.
This campaign highlights the ongoing effectiveness of phishing-driven malware delivery when paired with well-established loader malware and capable remote access tools. By leveraging realistic workplace themes and disguising executables as routine documents, attackers significantly increase user interaction rates and reduce early detection. The technical execution demonstrates a deliberate effort to evade defenses through in-memory payload execution and the abuse of legitimate cloud services for malware hosting. Such tactics complicate traditional perimeter-based security controls and emphasize the importance of endpoint-level protection. The incident reinforces the need for strong email filtering, user awareness training, and careful inspection of attachments, even when they appear to originate from internal or trusted contexts. Additionally, maintaining updated security solutions and enforcing least-privilege access can limit the impact of successful infections. Overall, the campaign serves as a reminder that modern threat operations often combine simple social engineering with sophisticated delivery mechanisms, making layered defenses and informed users critical to reducing organizational risk.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Reconnaissance | T1598 | Phishing for Information | — |
| Resource Development | T1587.001 | Develop Capabilities | Malware |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1027.004 | Obfuscated Files or Information | Compile After Delivery |
| T1218.011 | System Binary Proxy Execution | Rundll32 | |
| Discovery | T1082 | System Information Discovery | — |
| Lateral Movement | T1021 | Remote Services | — |
| Collection | T1113 | Screen Capture | — |
| T1056.001 | Input Capture | Keylogging | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | — | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/guloader-malware-rides-wave-of-fake-performance-reports/