{ "name": "Gootloader Returns: What Goodies Did They Bring?", "slug": "gootloader-returns-what-goodies-did-they-bring", "description": "Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.", "published": "2025-11-06T13:16:38+00:00", "created_at": "2025-11-06T13:16:38+00:00", "modified_at": "2025-11-06T13:35:46+00:00", "created_at_opencti": "2025-11-06T13:16:38+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-11-06", "alphv", "blackcat", "gootloader", "javascript", "lateral movement", "noberus", "obfuscation", "quantum locker", "ransomware", "rhysida", "seo poisoning", "supper socks5 backdoor", "vanilla tempest", "wordpress exploitation", "zeppelin" ], "related_entities": { "observables": [ { "id": "", "name": "91.236.230.134" }, { "id": "", "name": "193.104.58.64" }, { "id": "", "name": "37.59.205.2" }, { "id": "", "name": "213.232.236.138" }, { "id": "", "name": "178.32.224.219" }, { "id": "", "name": "103.253.42.91" }, { "id": "", "name": "146.19.49.177" }, { "id": "", "name": "www2.pelisyseries.net" }, { "id": "", "name": "www.worldwealthbuilders.com" }, { "id": "", "name": "www.wagenbaugrabs.ch" }, { "id": "", "name": "www1.zonewebmaster.eu" }, { "id": "", "name": "www.us.registration.fcaministers.com" }, { "id": "", "name": "www.smithcoinc.biz" }, { "id": "", "name": "www.supremesovietoflove.com" }, { "id": "", "name": "www.pathfindertravels.se" }, { "id": "", "name": "www.minklinkaps.com" }, { "id": "", "name": "www.lovestu.com" }, { "id": "", "name": "www.ferienhausdehaanmieten.de" }, { "id": "", "name": "www.claritycontentservices.com" }, { "id": "", "name": "https://yourboxspring.nl/" }, { "id": "", "name": "https://yoga-penzberg.de/" }, { "id": "", "name": "https://x.fybw.org/" }, { "id": "", "name": "https://www2.pelisyseries.net/" }, { "id": "", "name": "https://www1.zonewebmaster.eu/news/" }, { "id": "", "name": "https://www.worldwealthbuilders.com/" }, { "id": "", "name": "https://www.wagenbaugrabs.ch/" }, { "id": "", "name": "https://www.us.registration.fcaministers.com/" }, { "id": "", "name": "https://www.minklinkaps.com/" }, { "id": "", "name": "https://www.ferienhausdehaanmieten.de/" }, { "id": "", "name": "https://www.claritycontentservices.com/wp/" }, { "id": "", "name": "https://whiskymuseum.at/" }, { "id": "", "name": "https://vps3nter.ir/" }, { "id": "", "name": "https://wessper.com/" }, { "id": "", "name": "https://villasaze.ir/" }, { "id": "", "name": "https://usma.ru/" }, { "id": "", "name": "https://unica.md/" }, { "id": "", "name": "https://tiresdoc.com/" }, { "id": "", "name": "https://thetripschool.com/" }, { "id": "", "name": "https://themasterscraft.com/" }, { "id": "", "name": "https://sugarbeecrafts.com/" }, { "id": "", "name": "https://spirits-station.fr/" }, { "id": "", "name": "https://studentspoint.org/" }, { "id": "", "name": "https://solidegypt.net/" }, { "id": "", "name": "https://redronic.com/" }, { "id": "", "name": "https://patriotillumination.com/" }, { "id": "", "name": "https://restaurantchezhenri.ca/" }, { "id": "", "name": "https://ostmarketing.com/" }, { "id": "", "name": "https://onsk.dk/" }, { "id": "", "name": "https://myanimals.com/" }, { "id": "", "name": "https://motoz.com.au/" }, { "id": "", "name": "https://michaelcheney.com/" }, { "id": "", "name": "https://medicit-y.ch/" }, { "id": "", "name": "https://lepolice.com/" }, { "id": "", "name": "https://latimp.eu/" }, { "id": "", "name": "https://leadoo.com/" }, { "id": "", "name": "https://kollabmi.se/" }, { "id": "", "name": "https://jungutah.com/" }, { "id": "", "name": "https://influenceimmo.com/" }, { "id": "", "name": "https://idmpakistan.pk/" }, { "id": "", "name": "https://hotporntv.net/" }, { "id": "", "name": "https://headedforspace.com/" }, { "id": "", "name": "https://gravityforms.ir/" }, { "id": "", "name": "https://fotbalovavidea.cz/" }, { "id": "", "name": "https://filmcrewnepal.com/" }, { "id": "", "name": "https://eliskavaea.cz/" }, { "id": "", "name": "https://egyptelite.com/" }, { "id": "", "name": "https://dailykhabrain.com.pk/" }, { "id": "", "name": "https://cortinaspraga.com/" }, { "id": "", "name": "https://cloudy.pk/" }, { "id": "", "name": "https://cargoboard.de/" }, { "id": "", "name": "https://campfosterymca.com/" }, { "id": "", "name": "https://buildacampervan.com/" }, { "id": "", "name": "https://bluehamham.com/" }, { "id": "", "name": "https://blossomthemesdemo.com/" }, { "id": "", "name": "https://aradax.ir/" }, { "id": "", "name": "https://apprater.net/" }, { "id": "", "name": "http://cookcountyjudges.org/" }, { "id": "", "name": "https://allreleases.ru/" }, { "id": "", "name": "https://xxxmorritas.com/" }, { "id": "", "name": "https://www.supremesovietoflove.com/wp/" }, { "id": "", "name": "https://www.smithcoinc.biz/" }, { "id": "", "name": "https://www.pathfindertravels.se/tickets/" }, { "id": "", "name": "https://r34porn.net/" }, { "id": "", "name": "https://www.lovestu.com/" }, { "id": "", "name": "https://espressonisten.de/" }, { "id": "", "name": "x.fybw.org" }, { "id": "", "name": "yourboxspring.nl" }, { "id": "", "name": "yoga-penzberg.de" }, { "id": "", "name": "xxxmorritas.com" }, { "id": "", "name": "whiskymuseum.at" }, { "id": "", "name": "vps3nter.ir" }, { "id": "", "name": "villasaze.ir" }, { "id": "", "name": "unica.md" }, { "id": "", "name": "thetripschool.com" }, { "id": "", "name": "tiresdoc.com" }, { "id": "", "name": "themasterscraft.com" }, { "id": "", "name": "spirits-station.fr" }, { "id": "", "name": "studentspoint.org" }, { "id": "", "name": "solidegypt.net" }, { "id": "", "name": "redronic.com" }, { "id": "", "name": "restaurantchezhenri.ca" }, { "id": "", "name": "patriotillumination.com" }, { "id": "", "name": "ostmarketing.com" }, { "id": "", "name": "onsk.dk" }, { "id": "", "name": "motoz.com.au" }, { "id": "", "name": "michaelcheney.com" }, { "id": "", "name": "medicit-y.ch" }, { "id": "", "name": "kollabmi.se" }, { "id": "", "name": "jungutah.com" }, { "id": "", "name": "hotporntv.net" }, { "id": "", "name": "headedforspace.com" }, { "id": "", "name": "gravityforms.ir" }, { "id": "", "name": "fotbalovavidea.cz" }, { "id": "", "name": "filmcrewnepal.com" }, { "id": "", "name": "espressonisten.de" }, { "id": "", "name": "eliskavaea.cz" }, { "id": "", "name": "egyptelite.com" }, { "id": "", "name": "cortinaspraga.com" }, { "id": "", "name": "cookcountyjudges.org" }, { "id": "", "name": "cargoboard.de" }, { "id": "", "name": "buildacampervan.com" }, { "id": "", "name": "campfosterymca.com" }, { "id": "", "name": "bluehamham.com" }, { "id": "", "name": "blossomthemesdemo.com" }, { "id": "", "name": "aradax.ir" }, { "id": "", "name": "apprater.net" }, { "id": "", "name": "allreleases.ru" }, { "id": "", "name": "cf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a" }, { "id": "", "name": "c2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964" }, { "id": "", "name": "c2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac" }, { "id": "", "name": "b9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034" }, { "id": "", "name": "87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439" }, { "id": "", "name": "ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94" }, { "id": "", "name": "7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4" }, { "id": "", "name": "5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0" }, { "id": "", "name": "2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3" } ], "malware": [ { "id": "legacy:malware:d415144b6ac2965c", "name": "Supper SOCKS5 Backdoor", "slug": "supper-socks5-backdoor" }, { "id": "legacy:malware:c27fcffaca174659", "name": "Quantum Locker", "slug": "quantum-locker" }, { "id": "legacy:malware:a41099ae602e864b", "name": "Zeppelin", "slug": "zeppelin" }, { "id": "legacy:malware:0f9a8b4a8bf4943b", "name": "Gootloader - S1138", "slug": "gootloader-s1138" }, { "id": "legacy:malware:57f5f768df634c63", "name": "BlackCat - S1068", "slug": "blackcat-s1068" }, { "id": "legacy:malware:0d729aad6e4a08a8", "name": "Noberus", "slug": "noberus" }, { "id": "legacy:malware:e5d76bf603455f12", "name": "Rhysida", "slug": "rhysida" }, { "id": "legacy:malware:3f7697d87ccd7a64", "name": "ALPHV", "slug": "alphv" } ], "intrusion_sets": [ { "id": "c623ead8-445c-4907-8576-73ccf5c5ef2c", "name": "Storm-0494", "slug": "storm-0494" } ], "attack_patterns": [ { "id": "5fad1837-fafc-4be9-808a-b6282e4c3c6b", "name": "T1003.003" }, { "id": "9643a7e9-771b-4396-83a3-26fcec5200e4", "name": "T1021.006" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6", "name": "T1087" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" } ] }, "external_refs": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation", "https://otx.alienvault.com/pulse/690cadc6a4a3c3370cc2e697" ] }