A GuLoader malware campaign began targeting e-commerce companies in the U.S. and South Korea.  The malspam activity transitions from malware-laced Microsoft Word documents to NSIS executable files that load the malware. During 2022, NSIS scripts became more sophisticated, packing in additional obfuscation and encryption layers to conceal the shellcode. The new malware tactics respond to Microsoft blocking macros in Office files downloaded online. The campaign also targeted Germany, Saudi Arabia, Taiwan, and Japan.