Overview of the Incident
In January 2026, multiple security operations teams identified an active phishing campaign designed to compromise corporate environments by abusing employee trust in internal HR processes. The attackers distributed emails posing as official employee performance evaluations, which contained malicious attachments. These attachments were weaponized to install Guloader, a malware loader that later deployed Remcos Remote Access Trojan (RAT).
The campaign did not rely on exploiting software vulnerabilities. Instead, it succeeded by convincing users to open attachments and follow simple instructions, making it effective even in environments with fully patched systems.
Once systems were infected, attackers gained persistent remote access, allowing them to monitor activity, steal credentials, and potentially move deeper into affected networks.
What Happened
Employees across various organizations received emails claiming to contain confidential performance reports or appraisal documents. These messages appeared legitimate, often impersonating HR departments or senior management. When recipients opened the attached files, the infection chain began.
The initial malware, Guloader, acted as a delivery mechanism. After establishing itself, it contacted external servers controlled by the attackers and retrieved Remcos RAT. From that point forward, the infected system was under remote attacker control.
This was not an isolated breach. Evidence shows a wide distribution campaign impacting multiple companies simultaneously.
How the Attack Occurred
Initial Entry Point – Email Phishing
The attack started with phishing emails crafted to blend into normal corporate communication.
Common characteristics:
- Sender names mimicked HR staff or internal departments
- Email language was formal and business-appropriate
- Messages referenced annual reviews, appraisals, or salary assessments
- Attachments were marked confidential or urgent
- Emails avoided spelling mistakes and obvious red flags
The attackers relied entirely on social engineering rather than technical exploitation.
Malicious Attachments
Attachments varied in format to evade detection by security filters.
Observed attachment types:
- ZIP archives
- ISO disk images
- HTML files disguised as documents
- Microsoft Excel files containing macros
- Occasionally password-protected archives
Common file naming patterns:
- Performance_Review_2025_Final.zip
- HR_Appraisal_Report.iso
- Employee_Evaluation.html
- Salary_Adjustment_Details.xlsm
The files were designed to look harmless and business-related.
User Interaction
Once the attachment was opened:
- Victims were prompted to enable macros or content
- HTML files displayed fake document previews
- ISO files contained executable loaders disguised as PDFs or Word documents
- Clicking or enabling content triggered execution of malicious scripts
This step was essential for the attack to succeed.
Payload Delivery Chain
First Stage – Guloader
Guloader was the first malicious payload executed.
Its role included:
- Establishing a foothold on the system
- Performing checks to detect sandbox or virtual environments
- Delaying execution to avoid automated analysis
- Encrypting communication with external servers
- Downloading additional malware only after validation
Guloader itself often left minimal artifacts, making early detection difficult.
Second Stage – Remcos RAT
After Guloader successfully ran, it downloaded and installed Remcos RAT.
Capabilities of Remcos included:
- Full remote control of the infected system
- Keylogging of user input
- Capturing screenshots and live screen feeds
- Stealing saved browser credentials
- Accessing webcam and microphone
- Uploading and downloading files
- Executing commands remotely
- Maintaining long-term persistence
Remcos typically ran silently in the background under misleading process names.
Persistence and Survival Techniques
To ensure continued access, the malware established persistence using multiple methods:
- Registry autorun keys
- Scheduled tasks with names resembling system updates
- Startup folder entries
- Copying itself to trusted Windows directories
Persistence locations commonly observed:
- %AppData%\Roaming\
- %LocalAppData%\
- %ProgramData%\
Evasion Techniques Used
The attackers used several methods to bypass security tools:
- Obfuscated PowerShell scripts
- Encrypted payload delivery
- Legitimate Windows binaries for execution
- Execution delays to avoid sandbox timeouts
- Frequently changing command-and-control infrastructure
Many antivirus products failed to block the infection during the early stages.
Command and Control Activity
After infection, the malware established outbound connections to attacker-controlled servers.
Observed behavior:
- Encrypted network traffic
- Communication over common ports such as 443 and 8080
- Regular beaconing intervals
- Dynamic DNS usage
- Traffic blended with legitimate HTTPS activity
This allowed attackers to remotely control infected endpoints without raising immediate alarms.
Affected Organizations and Industries
Target Profile
Organizations with:
- Large employee populations
- Structured HR processes
- Regular internal document sharing via email
Most Impacted Industries
- Corporate enterprises
- Financial institutions
- Healthcare providers
- Manufacturing firms
- Educational institutions
- Government-affiliated organizations
Both mid-size and large enterprises were impacted.
Potential Impact
Compromised systems were at risk of:
- Credential theft
- Email account takeover
- VPN and remote access compromise
- Internal document exposure
- Surveillance of employee activity
- Lateral movement across internal networks
In environments lacking segmentation, the risk of broader compromise was high.
Indicators of Compromise (IOCs)
Email Indicators
- Unexpected HR-themed emails
- Attachments received from external addresses
- Messages urging immediate review of documents
File-Based IOCs
- Suspicious executables in user directories
- Unexpected ISO or ZIP files
- Files with double extensions
- Recently created files in:
- %Temp%
- %AppData%
- %ProgramData%
Registry IOCs
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run*
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run*
- Registry values pointing to executables in user folders
Process IOCs
- PowerShell running with encoded commands
- Processes launched from AppData or Temp
- Executables named:
- update.exe
- hr_service.exe
- system_patch.exe
Network IOCs (Using [.] Delimiter)
- hr-review[.]online
- secure-docview[.]net
- cloud-filesync[.]info
- employee-portal[.]site
- update-manager[.]live
- 185[.]244[.]214[.]112
- 91[.]214[.]124[.]87
- 45[.]142[.]212[.]19
- 193[.]36[.]119[.]44
Scheduled Task IOCs
- Tasks named similar to:
- Windows Update Check
- System Maintenance
- Office Telemetry Service
Why the Campaign Was Successful
- Highly believable HR-based lures
- No software exploit required
- Multi-stage infection reduced detection
- Strong evasion and obfuscation
- Abuse of trusted business workflows
Lesson Learnt
- Email remains the most effective attack vector
- Social engineering bypasses technical controls
- Loader-based malware complicates detection
- Endpoint monitoring is critical
- User awareness training is essential
Final Takeaway
This campaign demonstrated how attackers can achieve widespread compromise using trust-based phishing and modular malware. By combining Guloader with Remcos RAT and disguising the attack as routine HR communication, threat actors gained persistent access to corporate systems without exploiting a single vulnerability.
Organizations that lacked strong email filtering, endpoint visibility, or user awareness faced extended exposure and increased risk of data compromise.
