GuLoader, first reported in March 2020, was by June being widely used in malspam campaigns. Then in late June, GuLoader activity reduced significantly. In mid-July, GuLoader was again appearing in malspam campaigns. Researchers found GuLoader with an Italian company who provide a product named CloudEye which, according to their website, is used to protect windows applications from cracking, tampering, debugging, disassembling, and dumping. The exposure of CloudEye apparently caused the company to pause operations while they investigated the abuse of CloudEye. Around the time researchers began observing the return of GuLoader, the company behind CloudEye announced it had resumed operation with tighter controls to prevent abuse. The recent campaign, used DHL-themed emails with an attached ISO file containing GuLoader. The payload in this case was the FormBook info stealer malware.