Weaponized Employee Performance Reports Used to Deliver Guloader Malware

AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated phishing campaign leveraging fraudulent employee performance reports to distribute Guloader malware.

The attack demonstrates how threat actors weaponize legitimate workplace communication to bypass security awareness and trick users into executing malicious code.

The Attack Campaign

The phishing emails falsely claim to contain October 2025 performance reports and employ social engineering tactics to create urgency.

Attackers specifically mention plans for employee dismissals, pressuring recipients to open attachments without proper verification.

This psychological manipulation significantly increases user engagement compared to standard phishing attempts.

The malicious attachment arrives as a RAR compressed file containing an executable masquerading as a PDF document.

Named “staff record pdf.exe,” the file exploits file extension hiding in Windows to appear as a legitimate PDF. Unsuspecting users who lack technical knowledge may execute the file believing it to be a document.

Guloader serves as a loader that downloads and executes shellcode from a compromised Google Drive URL, establishing a multi-stage infection process.

The final payload is Remcos RAT (Remote Access Trojan). This powerful remote access tool grants threat actors complete control over infected systems.

Once deployed, Remcos RAT enables attackers to perform extensive post-exploitation activities, including keystroke logging, screenshot captures, webcam and microphone hijacking, and credential harvesting from web browsers. The C2 infrastructure uses the following endpoints: 196.251.116.219:2404 and 5000.

Organizations should implement comprehensive email security controls and user training programs. Employees must verify sender addresses independently before opening attachments from unknown sources.

Regular password changes mitigate potential credential compromise, and multi-factor authentication provides additional protection against unauthorized access following breach incidents.

Hash Indicator: MD5: c95f2a7556902302f352c97b7eed4159

AhnLab Security Intelligence Center (ASEC) notes that the misuse of legitimate cloud platforms for command-and-control reflects an increasingly sophisticated and evasive threat environment.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.

The post Weaponized Employee Performance Reports Used to Deliver Guloader Malware appeared first on Cyber Security News.