GuLoader is a downloader written partly in Visual Basic 6 and originally seen being used to deliver Parallax RAT. Multiple threat actors are currently using it to download a variety of RATs and information stealers. The executable is typically delivered either embedded in an ISO or RAR file or via direct download from cloud hosting platforms, such as Google Drive or Microsoft OneDrive. Once downloaded, the VB6 wrapper decrypts the shellcode that provides the main functionality. In order to do this while making analysis more difficult, the loader leverages sophisticated injection techniques. Once decrypted, the shellcode downloads a PE executable from a remote URL with a filename in the pattern of “_encrypted_XXXXXX.bin” where “XXXXXXX” are hexadecimal digits. The downloaded file is XOR-encoded with a XOR key stored in the GuLoader shellcode. Examples of dropped payloads include Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.