Prepared by: Jason Trapp, DFIR Analyst| Last update: 10 February 2026
Triskele Labs was engaged to investigate a ransomware incident affecting a corporate environment. The investigation identified that initial access was achieved not through an advanced exploit, but through the installation of pirated software on an unmonitored endpoint.
A single user action enabled the execution of Guloader, a malware loader commonly used to deploy follow-on payloads such as credential stealers and remote access tools. From this foothold, a threat actor was able to harvest credentials and later gain access to the organisation’s environment, culminating in a ransomware event.
This case highlights a recurring issue we see across investigations: gaps in endpoint visibility and credential hygiene continue to present a reliable path to compromise.
Most organisations have invested heavily in securing their perimeter, identity platforms, and core infrastructure. However, initial access is increasingly occurring away from these controls.
Unmonitored or lightly managed endpoints, combined with credential reuse between personal and corporate systems, remain a consistent weakness. In this case, the attacker did not need to exploit the organisation directly, access was inherited through the user.
This reinforces the need to view endpoint visibility and identity exposure as business risks, not just technical concerns.
Guloader is a type of malware known as a loader. Its primary purpose is not to carry out an attack itself, but to establish an initial foothold on a system and then download and execute additional malicious payloads.
It is commonly delivered through malicious software installers, cracked applications, or fake updates. In many cases, Guloader is disguised as legitimate software to encourage users to run it without suspicion.
Once executed, Guloader typically avoids writing obvious malware files to disk. Instead, it uses scripts and encoded PowerShell to retrieve further payloads from external servers and execute them directly in memory. This approach makes detection more difficult for traditional antivirus tools that rely on file-based scanning.
Guloader is frequently used as an entry point for follow-on malware such as credential stealers, remote access tools, and, in some cases, ransomware. For attackers, it is a reliable way to turn a single user action into persistent access within a corporate environment.
Back to the incident - it began with the download and installation of a recently released game obtained from a malicious source. While the download itself occurred outside the monitored environment, the installer was later executed on the user’s system.
During installation, a file named avp.exe was briefly created and removed. Although the file could not be recovered, the naming strongly suggests an attempt to interfere with endpoint protection using a technique known as Bring Your Own Vulnerable Driver (BYOVD).
At this stage, the activity occurred entirely outside standard enterprise security visibility.
As part of the installation process, a file named 9Beige.dat was written to the user’s profile directory. Despite its .dat extension, analysis confirmed it was an executable.
A scheduled task was then created to execute this file using regsvr32.exe, a legitimate Windows binary commonly abused by threat actors to proxy malicious execution.
Several indicators stood out:
regsvr32.exe was used in a manner inconsistent with legitimate software updates.This approach allowed the malware to persist without relying on more obvious mechanisms such as services or startup folders.
A binary named 7zip.exe was dropped and executed on the system. While the filename suggested legitimate compression software, the executable was in fact Guloader.
The file deliberately masqueraded as trusted software through misleading metadata and branding. Its purpose was not to perform the final attack, but to act as a loader for additional payloads.
Once executed, Guloader initiated the next stage of the attack chain.
Following execution, Guloader dropped and ran a Visual Basic Script (VBS) from a temporary directory. This script contained base64-encoded PowerShell which:
One payload was embedded within what appeared to be a benign image file. The embedded data was extracted and executed directly in memory, avoiding the need to write a malicious binary to disk.
This technique significantly reduces the likelihood of detection by traditional antivirus controls.
With command-and-control established, the threat actor was positioned to harvest credentials and monitor user activity.
During the investigation, Triskele Labs identified credentials associated with the affected user that had been posted on the dark web. The timing of this exposure aligned with the execution of Guloader and occurred before ransomware was deployed within the corporate environment.
This indicates that credential theft, rather than direct exploitation of enterprise systems, was the critical enabler of broader access.
After execution, Guloader actively removed many of its artefacts. Temporary directories and scripts were deleted, and registry keys were created to ensure cleanup occurred after reboot.
This behaviour makes early-stage detection and forensic analysis more difficult and increases the likelihood that initial access goes unnoticed until a later-stage impact occurs.
This incident reinforces several points that consistently emerge across ransomware investigations:
For IT and security teams, practical considerations include:
This ransomware incident did not begin with a direct attack on enterprise infrastructure. It began with a single user installing unauthorised software on an endpoint outside effective monitoring.
For organisations, the message is clear: endpoint visibility and identity protection are critical to preventing initial access. Addressing these gaps early can be the difference between a contained event and a full-scale ransomware incident.
DFIR Technical Analysis: https://www.triskelelabs.com/blog/dfir-guloader-loader-execution-chain