COVID-19 continues to be a leading lure to unsuspecting victims in malspam campaigns. The latest report from researchers has shown a sharp spike in this campaign since March 2020. The usage of GuLoader has shown the COVID-19 lures have shown no signs of slowing. Invoicing, COVID-1, and wire transfers are the latest in subjects that are employed in the campaign. Each of the malspam contains an attachment that is implanted with GuLoader. GuLoader is a popular RAT distribution program. This can allow attackers to control, monitor, and steal information from infected machines. Utilizing cloud services, the payload is kept encrypted. The malware is allocated within virtual memory and decrypted via XOR with read, write, and execute access. The payload is stored within a Google Drive folder. Anti-analysis techniques are employed such as an anti-debugger. GuLoader also creates a folder in which to place a copy of itself as well as modifying a registry key to achieve persistence. Using process hollowing, the malware will use the child processes to download, decrypt, and map the payload into memory. Common payloads include: Formbook, NetWire, Remcos, Lokibot, and others.