Gootloader Malware Resurfaces After Extended Absence
- Re-emergence of Gootloader malware was noted in late October 2025, reinitiating ransomware attack campaigns.
- Utilizes nefarious JavaScript embedded in bespoke web fonts, facilitating discreet remote access and network inspections.
- Tied to cybercriminal groups Storm-0494 and Vice Society, attackers can reportedly infiltrate domain controllers within an hour.
After an extended hiatus of nine months, the notorious Gootloader malware has reappeared, ostensibly paving the way for renewed ransomware assaults.
Cybersecurity collective Huntress reported a surge in infections commencing October 27 and continuing into early November 2025. Prior to this resurgence, Gootloader had remained dormant since March 2025.
Exploiting Custom Fonts for Malicious Activity
In this latest offensive, Gootloader has seemingly been wielded by the hacking collective Storm-0494, along with its affiliate known as Vice Society (formerly Vanilla Tempest). This ransomware syndicate, first spotted in 2021, primarily targets educational and healthcare institutions while occasionally encroaching upon manufacturing sectors.
Gootloader deploys malicious JavaScript sourced from compromised websites. This script orchestrates installations that provide adversaries with remote control over corporate Windows environments, enabling actions such as account compromises or ransomware dissemination.
Malicious filenames and download directives are ingeniously concealed within a custom web font (WOFF2) so that the webpage appears unremarkable in a browser, presenting gibberish when viewed in its raw HTML format. Only upon rendering in the browser does the true download link and filename come into focus.
The overarching intent of this campaign is to secure reliable initial access, expedite network mapping and control, and subsequently transfer this access to ransomware actors.
This entire sequence is executed with remarkable speed, largely through automated reconnaissance and remote operational tools that ascertain high-value targets, establish privileged accounts, and ready the environment for ransomware deployment.
According to Huntress, in several instances, attackers successfully accessed domain controllers within mere hours. Initial automated reconnaissance frequently initiates within 10 to 20 minutes post-execution of the malicious JavaScript.
Disturbingly, there have been reports of operators attaining domain controller access in as little as 17 hours, with one environment experiencing a breach in under an hour.
To safeguard against Gootloader, Huntress recommends vigilance for early warning indicators such as unsolicited downloads from web browsers, unfamiliar shortcuts in startup directories, unexpected PowerShell or script activities originating from browsers, and anomalous outbound proxy-like connections.
Source link: Techradar.com.
