GootLoader Malware Makes a Notable Return
Nov 11, 2025Ravie Lakshmanan Malware / Network Security
Recent investigations by Huntress indicate a resurgence of the notorious GootLoader malware, which saw a significant uptick in activity earlier this year, in March.
According to the cybersecurity firm, from October 27 onwards, three GootLoader infections were identified. Alarmingly, two of these incidents escalated to active intrusions, with domain controller compromises occurring within a mere 17 hours of the initial infection.
Security researcher Anna Pham noted, “GootLoader has re-emerged, now harnessing custom WOFF2 fonts with glyph substitution techniques to obscure filenames.”
She elaborated that the malware “manipulates WordPress comment endpoints to deliver XOR-encrypted ZIP payloads, each with unique encryption keys.”
Linked to a threat group designated as Hive0127 (or UNC2565), GootLoader functions as a JavaScript-based malware loader that typically propagates through search engine optimization (SEO) poisoning, facilitating the delivery of further malicious payloads, including ransomware.
In a report released last September, Microsoft disclosed that the threat group known as Vanilla Tempest capitalizes on GootLoader infections, receiving hand-offs from the Storm-0494 group to deploy a backdoor termed Supper (also recognized as SocksShell or ZAPCAT), alongside AnyDesk for remote access. This chain of attacks has culminated in the deployment of INC ransomware.
Additionally, the Supper backdoor has been associated with Interlock RAT (aka NodeSnake), malware primarily linked to Interlock ransomware.
“Although there is no explicit evidence linking Interlock directly to Supper, both Interlock and Vice Society have shown connections to Rhysida at various times, indicating potential overlaps within the broader cybercriminal ecosystem,” observed Forescout last month.
Earlier this year, GootLoader was discovered to have exploited Google Ads, targeting individuals searching for legal document templates. By redirecting users to compromised WordPress sites, it facilitated access to malware-laden ZIP archives.
The latest findings from Huntress reveal that current searches for queries like “Missouri cover utility easement roadway” on Bing are being manipulated to direct hapless users toward the ZIP archive.
Notably, this iteration employs a custom web font to mask the displayed filenames in browsers, circumventing static analysis techniques.
Pham explained, “When users attempt to copy the filename or examine the source code, they encounter bizarre characters, such as ‛›μI€vSO₽*’Oaμ==€‚‚33O%33‚€×:O[TM€v3cwv,” she said. “Yet, in the victim’s browser, these characters seamlessly transition to readable text, like Florida_HOA_Committee_Meeting_Guide.pdf.
This transformation is enabled through a custom WOFF2 font, which GootLoader integrates into the JavaScript code on the page using Z85 encoding, efficiently compressing the 32KB font to 40 KB.”
Another observed innovation involves an alteration of the ZIP file, such that when analyzed by tools such as VirusTotal or Python’s ZIP utilities, it unpacks as an innocuous .TXT file. However, within Windows File Explorer, the archive reveals a legitimate JavaScript file, representing the intended payload.
The researcher tracking GootLoader remarked, “This straightforward evasion strategy provides the actor with valuable time by concealing the true nature of the payload from automated scrutiny,” emphasizing the malware’s evolving sophistication.
The JavaScript payload contained within the archive is engineered to deploy Supper, a backdoor that enables remote control and SOCKS5 proxying capabilities.
In one documented instance, threat actors utilized Windows Remote Management (WinRM) to navigate laterally to the Domain Controller, subsequently establishing a new user account with administrative privileges.
“This ‘good enough’ approach demonstrates that threat actors need not rely on avant-garde exploits when well-obfuscated, straightforward tools can efficiently fulfill their objectives.”
Source link: Thehackernews.com.
