Gootloader Malware Returns With New Evasion Tactics
▼ Summary
– Gootloader malware has resumed operations after a 7-month hiatus, using SEO poisoning to promote fake websites that distribute malicious documents.
– The malware spreads through compromised websites that impersonate legal document templates, tricking users into downloading malicious ZIP archives containing JavaScript files.
– Gootloader employs evasion techniques including custom web fonts that disguise readable text in source code and malformed ZIP archives that extract different files depending on the extraction tool used.
– Once executed, Gootloader downloads additional payloads like Cobalt Strike and the Supper SOCKS5 backdoor, enabling threat actors to gain remote access and deploy ransomware within hours.
– The campaign is linked to the Vanilla Tempest ransomware affiliate, which rapidly compromises networks by performing reconnaissance within minutes of infection and targeting Domain Controllers.
After a seven-month hiatus, the notorious Gootloader malware loader has resurfaced, employing refined SEO poisoning methods to lure unsuspecting users. This malicious operation spreads through compromised or fraudulent websites, tricking individuals into downloading harmful documents disguised as legitimate legal templates.
The attackers manipulate search engine results using both paid advertisements and search engine optimization tactics. They specifically target keywords related to legal documents and agreements, ensuring their malicious sites appear prominently. Previously, these sites mimicked discussion forums where fake users recommended downloading document templates. More recently, the strategy shifted to direct imitation of websites offering free legal document templates.
When a visitor clicks a “Get Document” button, the site performs checks to confirm the user is human before serving a compressed archive. Inside this archive lies a malicious file with a .js extension, such as mutualnondisclosure_agreement.js. Executing this file triggers Gootloader, which then retrieves additional malware payloads like Cobalt Strike, backdoors, and network bots. These tools grant initial access to corporate networks, often exploited later by other cybercriminals to deploy ransomware or launch further attacks.
A cybersecurity researcher known as “Gootloader” has dedicated years to tracking and disrupting this operation by reporting abusive infrastructure to internet service providers and hosting platforms. This researcher informed BleepingComputer that their efforts forced the malware operation to halt abruptly on March 31st, 2025. Now, alongside Anna Pham from Huntress Labs, they confirm Gootloader’s return in a fresh campaign impersonating legal documents once more.
“In this latest campaign, we’ve observed thousands of unique keywords spread over 100 websites,” the researcher stated in a recent blog post. “The ultimate goal remains the same: convince victims to download a malicious ZIP archive containing a JScript (.JS) file that establishes initial access for follow-on activity , usually leading to ransomware deployment.”
This new variant introduces several techniques to evade automated analysis and security researchers. Huntress discovered that the malicious JavaScript on these websites conceals real filenames using a custom web font. This font replaces standard letters with visually similar symbols. While the HTML source code displays nonsensical text, the rendered page shows normal words, making it difficult for security tools to detect keywords like “invoice” or “contract” in the code.
“Rather than using OpenType substitution features or character mapping tables, the loader swaps what each glyph actually displays,” Huntress explained. “The font’s metadata appears completely legitimate, the character ‘O’ maps to a glyph named ‘O’, the character ‘a’ maps to a glyph named ‘a’, and so forth. However, the actual vector paths that define these glyphs have been swapped. When the browser requests the shape for glyph ‘O’, the font provides the vector coordinates that draw the letter ‘F’ instead. Similarly, ‘a’ draws ‘l’, ‘9’ draws ‘o’, and special Unicode characters like ‘±’ draw ‘i’. The gibberish string Oa9Z±h• in the source code renders as ‘Florida’ on screen.”
Researchers from the DFIR Report also identified that Gootloader now uses malformed Zip archives to distribute its scripts. These archives are specially crafted so that Windows Explorer extracts the malicious JavaScript file, such as ReviewHearingsManual2025.js. However, when the same archive is opened with tools like VirusTotal, Python’s zip utilities, or 7-Zip, it unpacks a harmless text file named ReviewHearingsManual202.txt. The archive contains both files but is structurally malformed, causing different extraction behaviors across software.
It remains uncertain whether this method uses the same concatenation trick reported in 2024 or represents a new technique specifically designed to target Windows extraction processes.
Finally, the campaign deploys the Supper SOCKS5 backdoor on compromised devices, providing attackers with remote network access. This backdoor is associated with a ransomware affiliate tracked as Vanilla Tempest, known for involvement with numerous ransomware groups including Inc, BlackCat, Quantum Locker, Zeppelin, and Rhysida. Huntress observed that once a device is infected, the threat actor moves rapidly, conducting reconnaissance within twenty minutes and compromising the Domain Controller within seventeen hours.
With Gootloader active again, both individual consumers and corporate users must exercise extreme caution when searching for or downloading legal agreements and templates online. Unless a website is well-known and trusted for providing such documents, it should be regarded with suspicion and avoided entirely.
(Source: Bleeping Computer)
