Ddos 
Cybercriminals are weaponizing workplace anxiety in a new sophisticated phishing campaign. The AhnLab Security Intelligence Center (ASEC) has issued a warning regarding a malicious operation that leverages the fear of layoffs to infect systems with advanced spyware.
In a report released recently, ASEC detailed a campaign where Guloader malware is being distributed via emails that masquerade as critical HR communications. “AhnLab Security intelligence Center (ASEC) recently discovered the Guloader malware being distributed via phishing emails disguised as an employee performance report,” the analysts stated.
The attack vector is psychologically manipulative. The phishing emails claim to deliver a staff performance review for October 2025, enticing victims to open the attachment with a grim warning: names marked in red are slated for termination.
“The email claims to be informing the recipient about the report for October 2025, and prompts the recipient to check the attachment by mentioning the plan to dismiss some employees,” the report explains.
The email, signed by a generic “Human Resource Department,” urges the recipient to review an attached file named staff record pdf.rar.
While the attachment appears to be a compressed archive, the danger lies within. “The attached file is a compressed file in RAR format, and it contains an NSIS executable file named ‘staff record pdf.exe’ inside,” ASEC researchers noted .
The attackers rely on users missing the file extension. If the .exe extension is hidden by system settings, the file icon and name trick the user into believing they are opening a harmless PDF document.
Once the victim executes the file, the Guloader malware initiates a stealthy infection chain. It connects to a legitimate Google Drive URL to download shellcode, attempting to bypass security filters by using a trusted service.
The ultimate payload dropped on the victim’s machine is the notorious Remcos RAT (Remote Access Trojan).
“The final malware that is executed is Remcos RAT,” the report confirms. This tool turns the infected computer into a surveillance device for the attackers. “It allows threat actors to perform malicious remote control behaviors such as keylogging, capturing screenshots, controlling webcams and microphones, as well as extracting browser histories and passwords from the installed system”.
The malware communicates with a Command and Control (C2) server identified at 196.251.116.219, utilizing ports 2404 and 5000 to exfiltrate stolen data.
ASEC advises organizations to remain vigilant against this growing trend of abusing legitimate platforms for command and control. “Users must be extra cautious when opening emails from unknown sources,” the report concludes, emphasizing that regular password changes are necessary to prevent secondary damage from such breaches.
Related Posts:
- Makop Ransomware Evolves: GuLoader and BYOVD EDR Killers Used to Attack RDP-Exposed Networks
- Security Shift: Google Retires Dark Web Report Service, Citing Inability to Offer Concrete Remedies
- Meta Accused of Hiding Internal Data Showing Facebook Causes Depression & Anxiety
- One in Nine: Amazon Prepares for Massive Layoff of 30,000 Corporate Staff
- Xbox AI Gaffe: Layoffs, Ill-Timed Recruitment, and a Questionable Image
Donate