Gootloader Returns: What Goodies Did They Bring?
· Published 06/11/2025 14:16 · Modified 06/11/2025 14:35
Essential information
- Published
- 06/11/2025 14:16
- Modified
- 06/11/2025 14:35
- Tags
- 2025-11-06 alphv blackcat gootloader javascript lateral movement noberus obfuscation quantum locker ransomware rhysida seo poisoning supper socks5 backdoor vanilla tempest wordpress exploitation zeppelin
- Related entities
- 136 observables, 1 intrusion sets (apt), 14 techniques (mitre), 8 malware
Description
Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (136)
91.236.230.134193.104.58.6437.59.205.2213.232.236.138178.32.224.219103.253.42.91146.19.49.177www2.pelisyseries.netwww.worldwealthbuilders.comwww.wagenbaugrabs.chwww1.zonewebmaster.euwww.us.registration.fcaministers.comwww.smithcoinc.bizwww.supremesovietoflove.comwww.pathfindertravels.sewww.minklinkaps.comwww.lovestu.comwww.ferienhausdehaanmieten.dewww.claritycontentservices.comhttps://yourboxspring.nl/https://yoga-penzberg.de/https://x.fybw.org/https://www2.pelisyseries.net/https://www1.zonewebmaster.eu/news/https://www.worldwealthbuilders.com/https://www.wagenbaugrabs.ch/https://www.us.registration.fcaministers.com/https://www.minklinkaps.com/https://www.ferienhausdehaanmieten.de/https://www.claritycontentservices.com/wp/https://whiskymuseum.at/https://vps3nter.ir/https://wessper.com/https://villasaze.ir/https://usma.ru/https://unica.md/https://tiresdoc.com/https://thetripschool.com/https://themasterscraft.com/https://sugarbeecrafts.com/https://spirits-station.fr/https://studentspoint.org/https://solidegypt.net/https://redronic.com/https://patriotillumination.com/https://restaurantchezhenri.ca/https://ostmarketing.com/https://onsk.dk/https://myanimals.com/https://motoz.com.au/https://michaelcheney.com/https://medicit-y.ch/https://lepolice.com/https://latimp.eu/https://leadoo.com/https://kollabmi.se/https://jungutah.com/https://influenceimmo.com/https://idmpakistan.pk/https://hotporntv.net/https://headedforspace.com/https://gravityforms.ir/https://fotbalovavidea.cz/https://filmcrewnepal.com/https://eliskavaea.cz/https://egyptelite.com/https://dailykhabrain.com.pk/https://cortinaspraga.com/https://cloudy.pk/https://cargoboard.de/https://campfosterymca.com/https://buildacampervan.com/https://bluehamham.com/https://blossomthemesdemo.com/https://aradax.ir/https://apprater.net/http://cookcountyjudges.org/https://allreleases.ru/https://xxxmorritas.com/https://www.supremesovietoflove.com/wp/https://www.smithcoinc.biz/https://www.pathfindertravels.se/tickets/https://r34porn.net/https://www.lovestu.com/https://espressonisten.de/x.fybw.orgyourboxspring.nlyoga-penzberg.dexxxmorritas.comwhiskymuseum.atvps3nter.irvillasaze.irunica.mdthetripschool.comtiresdoc.comthemasterscraft.comspirits-station.frstudentspoint.orgsolidegypt.netredronic.comrestaurantchezhenri.capatriotillumination.comostmarketing.comonsk.dkmotoz.com.aumichaelcheney.commedicit-y.chkollabmi.sejungutah.comhotporntv.netheadedforspace.comgravityforms.irfotbalovavidea.czfilmcrewnepal.comespressonisten.deeliskavaea.czegyptelite.comcortinaspraga.comcookcountyjudges.orgcargoboard.debuildacampervan.comcampfosterymca.combluehamham.comblossomthemesdemo.comaradax.irapprater.netallreleases.rucf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482ac2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964c2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2acb9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f728725403487cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e947557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c45ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b02f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:34 · Modified 21/12/2025 19:34
Techniques (MITRE) (14)
-
NTDS
-
Windows Remote Management
-
Remote System Discovery
-
Malicious Link
-
Registry Run Keys / Startup Folder
-
JavaScript
-
Account Discovery
-
File Deletion
-
System Information Discovery
-
File and Directory Discovery
-
Process Injection
-
Deobfuscate/Decode Files or Information
-
Obfuscated Files or Information
-
Exploit Public-Facing Application
Malware (8)
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16