Full Report
The Gootloader malware loader operation has returned after a 7-month absence and is once again performing SEO poisoning to promote fake websites that distribute the malware. [...]
Analysis Summary
# Main Topic
The Gootloader malware loader operation has re-emerged after a seven-month hiatus and has resumed its primary activity: using SEO poisoning to promote deceptive websites that distribute the JavaScript-based malware loader.
## Key Points
- Gootloader was tracked as being dormant since March 31, 2025, following disruption efforts by researchers. It has now returned in a new campaign.
- The primary delivery mechanism involves SEO poisoning to rank fake websites highly for specific keywords (e.g., legal documents, contracts).
- The ultimate goal is to trick victims into downloading a ZIP archive containing a malicious JScript (.JS) file, which then provides initial access for follow-on attacks, frequently leading to ransomware deployment.
- The current campaign is employing several evasion techniques against automated analysis.
## Threat Actors
- **Gootloader Operators:** The threat actor behind the loader operation.
- **Follow-on Actors:** The access gained by Gootloader is often sold to other groups, including ransomware affiliates.
- **Vanilla Tempest:** Specifically mentioned as the ransomware affiliate observed utilizing the resulting access via the Supper SOCKS5 backdoor. This affiliate has previous links to ransomware operations such as Inc, BlackCat, Quantum Locker, Zeppelin, and Rhysida.
## TTPs
- **Initial Access via SEO Poisoning:** Manipulating search engine results to lead users to compromised or attacker-controlled infrastructure.
- **Deceptive Websites:** Impersonating sites that offer free templates for legal documents to encourage downloads.
- **Loader Delivery:** Distribution via malicious documents, often using `.js` extension files delivered in ZIP archives.
- **Font Obfuscation:** New technique where JavaScript on the malicious website hides filenames by using a modified web font that swaps character glyphs to display readable text (e.g., 'Oa9Z±h•' renders as 'Florida'), obscuring keywords from static analysis.
- **Malformed ZIP Archives (Zip File Concatenation):** Crafting ZIP archives so that they extract the malicious JavaScript file (`.js`) when opened by Windows Explorer, but extract only a harmless text file when opened by analysis tools (like VirusTotal or 7-Zip).
- **Payload Delivery:** Deploying the Supper SOCKS5 backdoor to establish remote access.
- **Rapid Lateral Movement:** Observed post-infection activity shows reconnaissance within 20 minutes and Domain Controller compromise within 17 hours.
## Affected Systems
- **Victims:** Consumers and corporate users searching for and downloading web-based legal agreements and document templates.
- **Infected Material:** Systems attempting to open malicious `.js` files downloaded from ZIP archives.
- **Post-Compromise:** Network infrastructure, including Domain Controllers, once the Supper SOCKS5 backdoor is established.
## Mitigations
- Exercise extreme caution when searching for and downloading legal agreements or document templates from the web, particularly from unknown sources.
- Treat any website offering these templates with suspicion unless it is a known, trusted provider.
- Ensure systems are configured to detect and flag the execution of JavaScript files originating from unexpected documents or archive extraction processes.
- Implement security monitoring capable of detecting rapid internal reconnaissance following initial compromise (e.g., within 20 minutes).
## Conclusion
The Gootloader campaign's return signals a renewed threat leveraging sophisticated social engineering (SEO poisoning) combined with novel technical evasion methods (font swapping and specific ZIP malformation) to establish initial access for downstream ransomware activity, notably by the Vanilla Tempest affiliate. Immediate vigilance regarding unsolicited document downloads is required across all user bases.