GuLoader Ships Dual Stealers to Italian Businesses While Its Open FTP Directory Leaks 52 Credential Dumps from 27 Victims in Real Time
TL;DR: Two GuLoader samples submitted to MalwareBazaar on March 9-10, 2026 unravel an active credential theft campaign targeting Italian and international businesses. Both samples use NSIS installer wrappers with multi-layer encrypted shellcode to deliver Agent Tesla (SMTP exfiltration) and VIPKeylogger (Telegram exfiltration). The most damaging finding: the operator's FTP exfiltration server at holzbrenzii[.]com has an open directory listing that exposes 52 credential theft files from 27 unique victim machines -- with new uploads landing the same day as this investigation. The campaign spans 50+ related samples across two imphash families, uses a fraudulent code signing certificate with Danish-language artifacts, and has been actively stealing browser passwords, email credentials, FTP keys, and WinSCP secrets from victims for three weeks straight.
Two Samples, One Thread to Pull
It started with two MalwareBazaar submissions that looked like routine GuLoader. One was a .bat file -- except it was actually a PE executable masquerading as a batch script. The other was a signed .exe with a certificate that claimed to belong to an entity called "Skirled." Both were NSIS installers packed with encrypted shellcode.
Routine GuLoader. Except it was not.
Following the infrastructure trail from sandbox reports and MalwareBazaar tags led to an FTP server with its directory listing wide open. Not just the staging directories -- the exfiltration directories, stuffed with stolen credential dumps that were still being uploaded while we were looking at them. The operator left the front door open, and every victim file was right there on the index page.
The Dual Payload Architecture
The two samples deliver different final payloads through the same GuLoader shellcode mechanism, suggesting the operator runs parallel campaign variants -- same loader, different stealers, different exfiltration channels:
| Sample | File Name | Disguise | Final Payload | Exfil Method |
|---|---|---|---|---|
| Sample 1 | QTZ250722902_SPECIFICATION.bat | PE renamed to .bat | Agent Tesla | SMTP via onionmail[.]org |
| Sample 2 | Betoners.exe | Signed PE (fraudulent cert) | VIPKeylogger | Telegram Bot API |
This is a hedging strategy. If one exfiltration channel gets burned -- say, the Telegram bot token gets revoked (it did) -- the other channel keeps operating. The FTP server at holzbrenzii[.]com serves as a third, persistent exfil path used across the broader campaign.
Attack Chain: From Email to Credential Dump
Phishing Email
|-- Italian BEC lures: "Documenti di spedizione", "Fatura", "Pagamento"
|-- English BEC lures: "PURCHASE ORDER SPECIFICATIONS", "New Order"
|
v
NSIS Installer Wrapper (Nullsoft v3.01 / v3.11)
|-- System.dll plugin (Windows API bridge)
|-- Encrypted shellcode blob (Danish file names: Sorrows130, Sdigheden)
|-- Padding files (single-byte XOR fill -- inflate size, confuse AV)
|
v
System::Call -> VirtualAlloc -> Shellcode Execution
|-- Position-independent x86 (JMP SHORT + POP EBX entry point)
|-- 81 XOR instructions, 687 LOOP instructions (multi-pass decryption)
|-- Anti-debug: NtCreateThreadExHideFromDebugger
|-- Anti-debug: NtSetInformationThreadHideFromDebugger
|-- Injection: MapViewOfSection technique
|
v
GuLoader Shellcode (runtime key derivation -- no static extraction)
|-- Downloads final payload from staging URL
|-- Process hollowing / WriteProcessMemory injection
|
v
Final Payload Deployment
|-- Variant A: Agent Tesla --> SMTP exfil to onionmail[.]org
|-- Variant B: VIPKeylogger --> Telegram bot exfil
|-- Variant C: Agent Tesla --> FTP exfil to holzbrenzii[.]com
|
v
Stolen Data: Browser passwords, email credentials, FTP clients,
WinSCP keys, Outlook profiles --> uploaded as PW_*.html files
Each layer of this chain addresses a different detection challenge. The NSIS wrapper is a legitimate installer framework, so static analysis sees a valid Nullsoft binary. The padding files with single-byte fills confuse entropy-based scanners. The shellcode decryption requires runtime execution -- it cannot be statically unpacked because the download URL is encrypted with keys derived at execution time. And the anti-debugging techniques specifically target analyst sandboxes and EDR hooks.
The .bat File Trick
Sample 1 deserves special attention. It is a PE executable -- a fully valid Windows binary -- but renamed with a .bat extension. The file name QTZ250722902_SPECIFICATION.bat is designed to look like a purchase order specification that happens to be a batch file.
Why does this work? Most email security gateways maintain blocklists for dangerous file extensions. .exe is blocked. .scr is blocked. But .bat files are often allowed through because they are considered lower risk. Except Windows does not care about the extension when determining how to execute a file -- double-clicking a PE with a .bat extension still launches it as an executable. The attacker gets the payload through the email gateway and the victim runs it thinking it is a harmless script.
The Fraudulent Certificate
Sample 2 takes a different approach to trust: a code signing certificate. The certificate details tell an interesting story:
| Field | Value |
|---|---|
| Subject CN | Skirled |
| Tjenestesteder@Farveprinter[.]Fej | |
| Organization | Skirled |
| OU | fremdragelsers Nimble Kahaleel |
| Country | GB |
| Valid | Feb 18, 2026 - Feb 18, 2027 |
| Type | Self-signed (fails chain verification) |
| Timestamp | DigiCert Trusted G4 TSA, Mar 3, 2026 |
The subject email is Danish: "Tjenestesteder" means "Service locations" and "Farveprinter" means "Color printer." The OU field mixes Danish ("fremdragelsers," meaning something like "advancements") with English. This is a self-signed certificate -- it provides zero trust guarantees -- but the operator timestamped it through a legitimate DigiCert TSA service, giving it a veneer of authenticity that might fool a cursory review.
The Danish language artifacts are not limited to the certificate. Across both samples, the NSIS internal file names are predominantly Danish: Mellemland, Sjlespaltes, Sdigheden, Spadserestien, Underekstremitets, blomstring, kapitalists, konomikontoret. This consistency across independently compiled samples suggests a Danish-speaking developer or a deliberately planted linguistic false flag.
The Open Directory: 52 Files, 27 Victims, Still Uploading
This is where the investigation went from interesting to urgent.
The FTP server at holzbrenzii[.]com (198[.]27[.]80[.]139) has an open directory listing. Not intentionally -- this is an OPSEC failure. The directory structure at /holzbrenzii.com/ contains multiple subdirectories (dddddd, mmmm, infooo, aaaaaa, oooo) filled with stolen credential files following a consistent naming pattern:
PW_[Username]-[Hostname]_YYYY_MM_DD_HH_MM_SS.html
We catalogued 52 credential theft files from 27 unique victim machines. The timeline spans February 19 through March 10, 2026 -- three weeks of continuous operation. Some victims show sustained compromise over days or weeks:
| Victim Identifier | First Seen | Last Seen | Exfil Count | Notes |
|---|---|---|---|---|
| TANIYA-LIGHTBOX_TANIYA | 2026-02-20 | 2026-03-05 | 7 | 14 days of persistent exfil |
| uSER-INTEL | 2026-02-24 | 2026-03-06 | 8 | Daily corporate exfiltration |
| Frank-DESKTOP-D019GDM | 2026-02-19 | 2026-02-21 | 4 | Earliest victim in the set |
| moremauripanarisi-DESKTOP-ODIEE6H | 2026-03-10 | 2026-03-10 | 2 | Italian name, active day of investigation |
| admin-DESKTOP-R3B7SJ4 | 2026-03-10 | 2026-03-10 | 1 | Active day of investigation |
| fred-OTTONE | 2026-02-27 | 2026-02-27 | 1 | Italian name |
| zhangwei-DESKTOP-VNKWF3 | 2026-03-08 | 2026-03-08 | 1 | Chinese name |
| admin-BOGDANANDREI02 | 2026-02-20 | 2026-02-20 | 1 | Romanian name |
The victim names tell the targeting story: Italian names (moremauripanarisi, fred-OTTONE), Chinese names (zhangwei), Romanian names (BOGDANANDREI), and generic Western names (Frank, Lisa, TANIYA). The "Spam-ITA" tags on MalwareBazaar samples and Italian-language filenames confirm Italy as the primary target, but the campaign is not exclusive -- it takes whoever opens the attachment.
The most alarming detail: moremauripanarisi-DESKTOP-ODIEE6H and admin-DESKTOP-R3B7SJ4 had uploads timestamped March 10, 2026 -- the day we conducted this analysis. This campaign is not historical. It is happening right now.
Some entries in the directory appear to be sandbox environments (randomized usernames like kVSMELqsGeEM, generic hostnames like localuser-WIN-10). Excluding those, at least 15 victim machines represent real compromised users whose browser passwords, email credentials, FTP keys, and WinSCP secrets are sitting on an open directory for anyone to find.
Extracted C2 Configurations
Sandbox analysis extracted the full exfiltration configurations from both payloads:
Sample 1 -- Agent Tesla (SMTP Exfiltration):
Protocol: SMTP
Host: mail[.]onionmail[.]org
Port: 587
Username: mikilouis@onionmail[.]org
Password: sendboxorigin12
Exfil To: kloaborh@onionmail[.]org
Sample 2 -- VIPKeylogger (Telegram Exfiltration):
Protocol: Telegram Bot API
Bot Token: 8729572560:AAH7-pGiLevApfXHCGKQfSyCpF9fVTqxN9Q
Chat ID: 8277275661
Status: LOGGED OUT (token revoked after detection)
Campaign FTP C2 (from related sample tags):
Protocol: FTP
Host: ftp[.]holzbrenzii[.]com (198[.]27[.]80[.]139)
Server: Pure-FTPd [privsep] [TLS]
Max users: 50
Upload path: /holzbrenzii.com/{dddddd,mmmm,infooo,aaaaaa,oooo}/
The Telegram bot token has already been revoked -- likely after an automated detection flagged the token in sandbox output. But the SMTP and FTP channels remain fully operational.
Infrastructure: Shared Hosting, Low Investment
The operator is not running dedicated infrastructure. Everything sits on shared hosting:
| IP | Provider | Services | Role | Status |
|---|---|---|---|---|
| 198[.]27[.]80[.]139 | OVH / HosterBox (shared cPanel) | Pure-FTPd, Apache, Exim 4.96.2 | Primary FTP C2, open directory | LIVE |
| 162[.]241[.]123[.]75 | UnifiedLayer / webhostbox.net (shared cPanel) | Pure-FTPd, cPanel, MySQL, Exim 4.99.1 | Secondary FTP C2 | LIVE |
| 173[.]249[.]33[.]206 | Contabo GmbH | nginx 1.14.0, OpenSSH 7.6p1 | SMTP relay (onionmail[.]org) | LIVE |
The holzbrenzii[.]com domain was registered on June 23, 2025 via Onamae.com (GMO), a popular Japanese registrar. Its first SSL certificate appeared on October 28, 2025, and it runs a Let's Encrypt wildcard that auto-renews every 90 days. The secondary domain corwineagles[.]com was registered back in January 2019 through PublicDomainRegistry -- an older domain repurposed or compromised for this campaign.
50+ Samples, Two Imphash Families
These two samples are not isolated. Pivoting on their imphash values reveals a massive cluster:
| Imphash | NSIS Version | Cluster Size | Active Since |
|---|---|---|---|
e2f3f8ec66b7e1900c37978aca89d3c5 | 3.11 | 25+ samples | 2026-02-02 |
e2a592076b17ef8bfb48b7e03965a3fc | 3.01 | 25+ samples | 2026-02-02 |
Notable related samples from these clusters:
| File Name | Signature | First Seen |
|---|---|---|
| PURCHASE ORDER SPECIFICATIONS.bat | -- | 2026-02-02 |
| New Order H6002873958.exe | GuLoader | 2026-02-02 |
| Documenti di spedizione.exe | AgentTesla | 2026-02-17 |
| Pagamento 00202603090708.exe | AgentTesla | 2026-03-09 |
| Fatura.exe | VIPKeylogger | 2026-03-09 |
On February 17 alone, 15 Agent Tesla samples tagged ftp-holzbrenzii-com were uploaded to MalwareBazaar -- a burst suggesting mass distribution. The operator ships new samples almost daily, reusing the same NSIS packing pipeline while rotating file names and lure themes.
Campaign Timeline
2025-06-23 holzbrenzii[.]com domain registered (Onamae.com/GMO)
2025-10-28 First SSL certificate issued (domain goes operational)
2026-02-02 Earliest related samples appear in MalwareBazaar
2026-02-17 Burst: 15 Agent Tesla samples tagged ftp-holzbrenzii-com
2026-02-18 "Skirled" fraudulent code signing certificate created
2026-02-19 First victim credential file appears in open directory
2026-03-03 Betoners.exe timestamped with DigiCert TSA
2026-03-09 Betoners.exe uploaded to MalwareBazaar
2026-03-10 QTZ250722902_SPECIFICATION.bat submitted; new victims uploading
The gap between domain registration (June 2025) and first malware samples (February 2026) suggests either a slow operational tempo during setup, or the domain was originally registered for a different purpose and repurposed for this campaign.
Threat Actor Assessment
Attribution confidence: LOW-MEDIUM
The Danish-language artifacts are the strongest attribution signal. They appear consistently across:
- The code signing certificate (Tjenestesteder, Farveprinter, fremdragelsers)
- NSIS internal file names in both samples (Mellemland, Sjlespaltes, Sdigheden, Spadserestien, Underekstremitets, blomstring, kapitalists)
This consistency across independently compiled samples makes it unlikely to be coincidental. The actor is either Scandinavian (Danish/Norwegian), using a tool that generates Danish-language strings, or deliberately planting linguistic artifacts as a false flag.
The OPSEC failures paint a picture of a moderately skilled operator who is sloppy with infrastructure:
- Open directory listing on the primary FTP C2
- Self-signed certificate with identifiable language artifacts
- Same imphash reused across 50+ samples (trivial clustering)
- Exposed credentials in sandbox analysis (SMTP password, Telegram token)
- Telegram bot token revoked after exposure
This is a financially motivated cybercriminal running a credential theft operation, not an APT. The targeting is opportunistic, the infrastructure is cheap shared hosting, and the payloads are commodity stealers.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | .bat/.exe email attachments with BEC lures |
| Execution | User Execution: Malicious File | T1204.002 | Victim executes disguised NSIS installer |
| Execution | Native API | T1106 | System.dll calls VirtualAlloc, CallWindowProcA |
| Defense Evasion | Obfuscated Files or Information | T1027 | Multi-layer shellcode encryption (81 XOR + 687 LOOP) |
| Defense Evasion | Binary Padding | T1027.001 | Single-byte fill files to inflate archive size |
| Defense Evasion | Software Packing | T1027.002 | NSIS wrapper as legitimate installer framework |
| Defense Evasion | Masquerading: Match Legitimate Extension | T1036.008 | .bat extension on PE executable |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | Fraudulent self-signed cert with DigiCert timestamp |
| Defense Evasion | Debugger Evasion | T1622 | NtCreateThread/NtSetInformationThread HideFromDebugger |
| Defense Evasion | Process Injection: Process Hollowing | T1055.012 | WriteProcessMemory injection |
| Defense Evasion | Process Injection | T1055 | MapViewOfSection shared section injection |
| Credential Access | Credentials from Password Stores | T1555 | Browser passwords, email clients |
| Credential Access | Credentials from Web Browsers | T1555.003 | Chrome, Firefox, Edge credential theft |
| Collection | Data from Local System | T1005 | FTP clients, WinSCP, Outlook profiles |
| Collection | Input Capture: Keylogging | T1056.001 | VIPKeylogger variant |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | SMTP and FTP exfiltration |
| Exfiltration | Exfiltration Over Web Service | T1567 | Telegram Bot API for credential upload |
Indicators of Compromise
Network Indicators
FTP C2 Servers:
holzbrenzii[.]com 198[.]27[.]80[.]139 (PRIMARY - open directory)
corwineagles[.]com 162[.]241[.]123[.]75 (SECONDARY)
SMTP Exfiltration:
mail[.]onionmail[.]org 173[.]249[.]33[.]206 Port 587
Sender: mikilouis@onionmail[.]org
Recipient: kloaborh@onionmail[.]org
Telegram Exfiltration:
Bot Token: 8729572560:AAH7-pGiLevApfXHCGKQfSyCpF9fVTqxN9Q (REVOKED)
Chat ID: 8277275661
File Indicators
Sample 1 -- QTZ250722902_SPECIFICATION.bat:
SHA-256: 85bb77ab50e307210eac33967c69a15d31f38277ba82a88020eda2c972100f19
SHA-1: ade37c2ac5116a6d74a8c0bfa74774b91e253510
MD5: e2d50816fde5ab6748051d1266c6bb97
Imphash: e2f3f8ec66b7e1900c37978aca89d3c5
Size: 242,586 bytes
Sample 2 -- Betoners.exe:
SHA-256: 258c637a49e90a8ed3ebb9b9bbb4b0edd1f6d884d8cab83de7907a67d7ec3e36
SHA-1: 25db542e7c2647a82f25f8ed566a05c0674f7ff1
MD5: 48e2ceba623541351a4e3dcd3ae5197a
Imphash: e2a592076b17ef8bfb48b7e03965a3fc
Size: 835,328 bytes
Signing Certificate:
Thumbprint: 4d6c971175aab5dc402989d05d13710314fc0f32b173a7525efaec18829b52d7
Serial: 15591297CB2F3CDCDA48A3ECBFF7C06CD2DD137E
Subject CN: Skirled
Unpacked System.dll (dropped by NSIS):
SHA-256: a44ca08afb3f6bafd76aa35c259f3d599fe34f6f49ea5118626c1c1a540b0f03
MD5: 81e268e27dbbcadbf116b5a9402195ab
Behavioral Indicators
NSIS Internal File Names (Danish):
Sorrows130, Austerus153.swa, Mellemland/Ulceration, Sjlespaltes.uds,
angiomyosarcoma.dec, miners.ges, Sdigheden, Braises, Caespitosely134.cog,
Prominority.flu, Spadserestien142.apo, Underekstremitets.uho,
blomstring.str, fairsome.hin, invar.ufr, kapitalists.han, konomikontoret.avi
Exfiltration File Pattern:
PW_[Username]-[Hostname]_YYYY_MM_DD_HH_MM_SS.html
Hunting Imphashes (50+ related samples):
e2f3f8ec66b7e1900c37978aca89d3c5 NSIS v3.11 GuLoader cluster
e2a592076b17ef8bfb48b7e03965a3fc NSIS v3.01 GuLoader cluster
Recommended Actions
Immediate (24-48 hours)
- Block
holzbrenzii[.]comandcorwineagles[.]comat DNS and web proxy - Block outbound FTP to
198[.]27[.]80[.]139and162[.]241[.]123[.]75 - Alert on outbound SMTP connections to
mail[.]onionmail[.]org:587 - Search email gateways for
QTZ250722902_SPECIFICATION.bat,Betoners.exe, and any.batattachments that are PE executables (magic bytesMZin a.batfile) - Deploy YARA rules keyed on the two imphash values for retrospective hunting
Short-term (1-2 weeks)
- Submit abuse reports to OVH/HosterBox for
holzbrenzii[.]com(active credential theft C2 with open directory) - Submit abuse reports to UnifiedLayer for
corwineagles[.]com - Report the Telegram bot ID to Telegram for abuse (token already revoked, but bot account persists)
- Hunt EDR logs for NSIS installers dropping
System.dllto$PLUGINSDIR - Search FTP logs for the
PW_*.htmlupload pattern
Medium-term (1-3 months)
- Monitor the two imphash clusters on MalwareBazaar -- the operator ships new samples almost daily
- Track
crt.shfor new Let's Encrypt certificates onholzbrenzii[.]comsubdomains - Watch for new domains registered via Onamae.com/GMO pointing to HosterBox nameservers
- Coordinate victim notification through appropriate CERT channels -- at least 15 real victims have active credential compromise
References
- MalwareBazaar (Sample 1): https://bazaar.abuse.ch/sample/85bb77ab50e307210eac33967c69a15d31f38277ba82a88020eda2c972100f19/
- MalwareBazaar (Sample 2): https://bazaar.abuse.ch/sample/258c637a49e90a8ed3ebb9b9bbb4b0edd1f6d884d8cab83de7907a67d7ec3e36/
- CAPE Sandbox (Sample 1): https://www.capesandbox.com/analysis/56923/
- CAPE Sandbox (Sample 2): https://www.capesandbox.com/analysis/56812/
- Triage (Agent Tesla config): https://tria.ge/reports/260310-l9qxvsaw4m/
- Triage (VIPKeylogger config): https://tria.ge/reports/260309-p227pshv8n/
- ANY.RUN (Sample 1): https://app.any.run/tasks/e5e2d340-3aec-434c-96ff-bbdc1f5341f4
- ANY.RUN (Sample 2): https://app.any.run/tasks/416a59b0-e7f5-4f98-8347-a02daa600c1e
Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 2 samples analyzed. 50+ related samples clustered. 52 credential dumps exposed on a live open directory. 27 victim machines identified. Campaign ongoing. Classification: TLP:CLEAR