The threat involves the distribution of Guloader malware through phishing emails that impersonate legitimate employee performance reports, specifically referencing October 2025 data to increase credibility. The emails include a RAR archive containing an NSIS installer executable named 'staff record pdf.exe', which is a disguised Guloader loader. Upon execution, this loader downloads and runs shellcode hosted on a Google Drive URL, leveraging the trusted platform to evade network-based detection. The shellcode then deploys the Remcos Remote Access Trojan (RAT), a versatile malware capable of extensive remote control functionalities such as keylogging, capturing screenshots, controlling webcams and microphones, and extracting browser-stored credentials and data. The attackers' use of legitimate cloud services for command-and-control (C2) infrastructure complicates traditional detection methods that rely on blocking suspicious IP addresses or domains. The infection chain relies on social engineering to convince users to open the malicious attachment, requiring user interaction but no prior authentication. Indicators of compromise include specific file hashes and an IP address (196.251.116.219) associated with the campaign. The campaign is notable for its blending of phishing, loader malware, and RAT deployment, emphasizing the importance of layered defenses and user awareness.

For European organizations, this threat poses significant risks to confidentiality, integrity, and availability of information systems. The Remcos RAT payload enables attackers to conduct espionage by capturing keystrokes, screenshots, and audio/video inputs, potentially exposing sensitive corporate data, intellectual property, and personal information. Browser data extraction can lead to credential theft, facilitating further lateral movement or privilege escalation within networks. The use of legitimate cloud services for C2 communication reduces the likelihood of early detection and increases the chance of prolonged undetected presence. This can result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. The phishing vector targets employees directly, which may lead to widespread infection if user training and email filtering are insufficient. The medium severity rating reflects the need for user interaction but acknowledges the broad impact potential once the RAT is deployed.

1. Implement advanced email filtering solutions that scan for suspicious attachments, especially RAR files containing executables, and flag emails with unusual file names like 'staff record pdf.exe'. 2. Employ endpoint detection and response (EDR) tools capable of identifying NSIS installers and unusual shellcode execution patterns, including monitoring for processes that download code from cloud platforms such as Google Drive. 3. Conduct targeted user awareness training focusing on phishing tactics that impersonate internal communications, emphasizing verification of unexpected attachments even if they appear legitimate. 4. Enforce application whitelisting to prevent execution of unauthorized NSIS installers or executables from email attachments. 5. Monitor network traffic for unusual connections to cloud storage services outside normal business patterns, and implement anomaly detection for C2-like behavior. 6. Regularly update and enforce strong password policies and multi-factor authentication to limit the impact of credential theft. 7. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises. 8. Utilize threat intelligence feeds to update detection rules with known file hashes and IP addresses associated with this campaign.