GuLoader Obfuscation Analysis

This report provides a technical analysis of the GuLoader malware loader, describing how it employs polymorphic code to dynamically construct constants, uses exception-based control-flow obfuscation (software breakpoints, single-step, access violations, illegal/privileged instructions) to hinder analysis, and implements dynamic hashing and XOR-based string/payload encryption. The analysis documents progressive changes from 2022–2024, illustrates payload-decryption behavior (often retrieving payloads from cloud services), and supplies IDA scripts to deobfuscate and recover constants and strings.