Gootloader Returns: What Goodies Did They Bring?
Essential information
- Published
- 06/11/2025 14:16
- Modified
- 06/11/2025 14:35
- Tags
- 2025-11-06 alphv blackcat gootloader javascript lateral movement noberus obfuscation quantum locker ransomware rhysida seo poisoning supper socks5 backdoor vanilla tempest wordpress exploitation zeppelin
- Related entities
- 136 observables, 1 intrusion sets (apt), 14 techniques (mitre), 8 malware
Description
Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.