Download bundle index for the GuLoader NSIS-stage shellcode loader write-up.

Primary public artefact repository:

• taogoldi/analysis_data/guloader_apr_2026

Direct folders:

• scripts/ nsis_disasm.py (NSIS-3 Unicode bytecode disassembler), nsis_emulator.py (NSIS opcode emulator capturing System::Call), decode_piasaba.py (4-byte XOR + 0xAC pad strip), build_rainbow.py (custom-hash rainbow table), emulate_shellcode.py (Unicorn shellcode emulator), three IDAPython annotation scripts.
• detection/ four YARA rules (outer NSIS dropper, dropped-script artifacts, decoy padding, generic family). Also mirrored at YARA/loaders/guloader/.
• reports/json/ structured static + cross-reference analysis report, full NSIS opcode dump
• images/ Mermaid sources and rendered diagrams (kill chain, dropped files, NSIS obfuscation flow)
• docs/ blog source markdown

Key external references:

• MalwareBazaar entry (uploader threatcat_ch)
• VirusTotal community
• Hatching Triage 260427-a4q5wsdw6k
• Joe Sandbox 1904872
• NeikiAnalytics / threat.rip
• ANY.RUN sandbox task
• VMRay analysis

The NSIS dropper binary, the encrypted piasaba and Toolers blobs, and the staged Remcos PE are not redistributed in this bundle. Pull from MalwareBazaar by SHA-256 (39c0135a0e8d46053fbcaa4efe6cbc83d33cf8e7be43efbca1622b2f77c7b9c6).