Organizations are being warned about a new phishing campaign that weaponizes fake employee performance reports to deploy the Guloader malware and ultimately install Remcos RAT on compromised systems.
In the observed cases, threat actors send phishing emails that purport to share an employee performance report for October 2025.
The email body claims that management is planning to dismiss some employees and urges the recipient to check the attached report.
By exploiting anxiety around job security, attackers increase the likelihood that targeted users will open the attachment without proper scrutiny.
The attached file arrives as a compressed RAR archive. Inside this archive is an NSIS executable named “staff record pdf.exe”.
The campaign, recently documented by AhnLab Security Intelligence Center (ASEC), abuses employees’ fears around dismissal and performance reviews to lure victims into opening a malicious attachment.
What Guloader (GuLoader) Does
This naming convention is designed to deceive users into mistaking the file for a harmless PDF document, especially on systems where file extensions are hidden by default.
If the user double‑clicks the file believing it to be a PDF, the executable instead launches and begins the malware infection chain.
The “staff record pdf.exe” file is in fact the Guloader malware. Once executed, Guloader does not immediately drop a visible payload onto disk.
Instead, it loads shellcode into memory and retrieves the next-stage payload from a remote command-and-control (C2) location.
In this campaign, the shellcode is downloaded from a Google Drive URL (obfuscated in security reporting as hxxps://drive.google[.]com/uc?export=download&id=1bzvByYrIHy24oMCIX7Cv41gP9ZY3pRsgv).
Using a legitimate cloud storage platform helps attackers blend in with normal traffic and evade simple domain‑based blocking.
The final payload delivered in this attack chain is Remcos RAT, a well‑known remote access trojan.
Incident Response Steps
Once installed, Remcos provides attackers with extensive remote control capabilities. Threat actors can log keystrokes, capture screenshots, control webcams and microphones, and exfiltrate browser histories and stored passwords.
In the documented incident, Remcos communicated with its C2 server at 196.251.116[.]219 over ports 2404 and 5000, allowing attackers to maintain persistent access to infected machines and conduct surveillance or data theft.
This campaign highlights several troubling trends. Attackers are increasingly abusing legitimate platforms such as cloud storage services to host payloads and act as C2 infrastructure, making traditional blacklist‑based defenses less effective.
At the same time, they continue to rely on well‑crafted social engineering that preys on human emotions here, fear of termination and concern about performance to bypass technical controls.
To mitigate the risk, organizations should ensure that file extensions are visible by default, provide ongoing phishing awareness training, and deploy advanced email and endpoint security capable of detecting malicious executables and suspicious memory activity.
Users should treat unsolicited performance reports or HR‑related documents with caution, especially when compressed archives or executable files are involved.
Regular password changes, multi‑factor authentication, and prompt incident reporting can help limit the impact if credentials are compromised or a system is infected.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.