24/69 Wednesday, January 14, 2026
The AhnLab Security Intelligence Center (ASEC) has identified a cyberattack campaign leveraging social engineering techniques to create psychological pressure through phishing emails. The emails use subject lines related to monthly performance evaluation reports and reference potential employee layoffs, aiming to induce panic and prompt recipients to urgently open the attached files. The attachment is a compressed ZIP file containing an executable named “staff record pdf.exe”, which uses a double extension technique to masquerade as a legitimate PDF document, especially targeting users who have file extensions hidden in their system settings.
Once a victim is tricked into executing the file, GuLoader malware is immediately launched. GuLoader operates primarily in memory and employs obfuscation techniques to evade detection by antivirus solutions. It then connects to a Google Drive link to download the main payload. The abuse of a popular cloud service helps the malware bypass certain security filters. After the download is completed, the system becomes infected with Remcos RAT (Remote Access Trojan), which establishes communication with its command-and-control (C2) server.
Infection with Remcos RAT allows attackers to remotely control the victim’s computer, perform keystroke logging, steal saved browser passwords, access web browsing history, and secretly record audio and capture images via the microphone and webcam. Users are strongly advised to remain cautious of emails containing urgent or threatening content related to performance evaluations or employment status, carefully verify file extensions before opening attachments, and avoid opening files received from untrusted or suspicious sources.
Source https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
